Filename manipulation led to webshell upload!

Hello everyone!
I hope you’re all doing well. I wanted to share one of my recent discoveries regarding a web application’s API.

About the Application:

The web application I was testing is hosted on a Linux server. It involves receiving and processing files through an API called “/files/input”.
When a user submits a file to this API, the application saves the file in a temporary directory on the server and assigns a unique GUID to the file.

Sending file to API: “/files/input”

This GUID is used to track the file’s processing status through another API, “/files/status/{guid}”.

During my testing, I made an interesting observation. When I provided the GUID of my file to the “/files/status/{guid}” API to check the processing status, the server returned the precise address of my file on the server. This information proved valuable, as it allowed me (potentially as an attacker) to pinpoint the exact location of my file on the server.

Retrieving the location of the File on the server

Interestingly, there were no restrictions on uploading HTML files to the server. Consequently, I could upload a webshell with ease. However, I encountered a roadblock: I couldn’t access my web shell via a browser. The temporary directory had limited permissions and was slated for deletion after the process concluded.

In response, I formulated a plan to upload my web shell to a different path — one accessible from external sources and immune to deletion. After some investigation, I discovered the path to the main page of the site. To ensure external accessibility, I concluded that placing the web shell in the main page’s location was essential.

To execute this plan, I made modifications to the HTTP packet sent to the server. Specifically, I altered the “filename” argument in the Content-Disposition header:

Original:

Content-Disposition: form-data; name="file"; filename="webshell.html"
Content-Type: text/html

Modified:

Content-Disposition: form-data; name="file"; filename="../../../opt/main/site/webshell.html"
Content-Type: text/html

It’s important to note that “../../../” signifies moving three steps upward from the current location (temporary directory) to the root directory of the server. This Linux addressing syntax allowed me to upload the web shell to the main page location, which is “/opt/main/site”.

The Outcome: Following this adjustment, I successfully uploaded the web shell and made it accessible from external sources:

Web Shell

Conclusion and Responsibility: I halted my exploration at this juncture and promptly reported the discovered vulnerability. It’s crucial to acknowledge that allowing an attacker to upload files to unauthorized paths could lead to detrimental consequences.

This vulnerability is attributed to multiple factors, with one prominent reason being insecure code and lack of input sanitization. It’s conceivable that a server-side function accepts a string input and stores it without adequately scrutinizing the content.

Thank you for your time, and I wish you all the best.

My Website: yashar.pro
My Twitter: yashar0x
My GitHub: yashar0x