1. Home
  2. Training Library
  3. A Practical Intro to PHP Injections

Upload Vulnerability


PHP Injection
PHP Code Injection
PREVIEW14m 41s

The course is part of this learning path

Start course

This course builds upon our bWAPP app to run you through how to carry out PHP Injections as well as look at upload vulnerabilities.


Hi. Within this lecture, we're going to continue working on PHP Injections. In fact, in this lecture, we're not going to inject PHP code. We're going to search for the upload vulnerabilities, file upload vulnerabilities, but eventually it will lead us to run PHP code on server, so that's why they are grouped together. So, come over here to our menu and this time we're going to find unrestricted file upload. So, here you go, this one. Unrestricted file uploads. I believe it's under other bugs or something like that. So, as you can see, it's just a file upload server or file upload service, not server. We're uploading something to the server, and we generally see that kind of stuff. When we try to upload an image; or a pdf; or any document in any website. So, if they do some kind of filtering and try to limit the way that we upload our stuff like maybe they limit it to only jpeg or png files, because we're trying to upload images, then it's good. But sometimes it can just be flawed and we can upload something like PHP file for example. So, as usual, I'm going to find the Metallica image. I'm going to upload it. Just find one or just find any image that you want. I'm going to see if this uploading thing, it actually works or not. So, I'm going to save this. So, this is a jpg, and I'm going to come over here and come to downloads, and let's find the Metallica that we have downloaded. Here we go. Now, I'm going to say 'Open' and I'm going to say 'Upload'. Here we go. It says that this image has been uploaded. We can see it's uploaded in the images folder. So, it's a good way to find the files or folders after we uploaded as well. So, we know where it's going to be uploaded. It's under the images. So, so far so great. Now what I want to test for is if I can actually upload anything I want like a PHP code. So, if I make the server, if I can make the server run that PHP code, then I can hack into that website. So, it can get very malicious. So, if you write weevely in your own Kali Linux, then you can see there is a tool called weevely, and it's used to create PHP files and actually its PHP payloads. It creates a PHP file when it's executed, it sends a connection back to us, and it actually spawns a shell. So, what we have done with the netcat, it does it automatically for us. So, it's a very good tool. It's a very good tool to create PHP files and test what we are about to test. And it's fairly easy to use as well, as you can see we just give a URL and password and then, first of all we generate the file with a password, and then we try to listen for incoming connections. Just don't forget what password you give because that's how you reach your connection. So, let me show you what I mean. I'm going to go into the documents. I'm going to run this weevely generate. You're going to have to give a password over here. I'm just going to say my, No this is not going to be my password, my password is going to be 123456. And my file name will be myweevely.php. So, as you can see, generated the file in the documents and it has the password of 123456. So, if I say 'ls' I can see 'myweevely.php' file over here. So, I'm going to try and upload this. So, if I say 'cat myweevely.php' by the way, you can see the code that has been implemented over here, and it's going to be executed on the server if we can make it. And if you know about PHP then it will make sense to you. If you don't know about PHP, then it won't make any sense. Just know that it's trying to open a connection, as you can see there are for loops over here, but it's encrypted as well so that it won't get recognized as a shell in the website. And it tries to open a connection back to us and we can actually listen that connection by using weevely again. So, let me show you how it's done. So, as you can see we have seen this URL and password thing over here. We're going to use this actually. So, how do we use it? What's the URL and what is password? Password is 123456. So, URL is where we have uploaded this. So, let me show you what I mean. If I open this 'myweevely.php', if I choose this and if I say 'Upload', then this will be uploaded over here. So, it actually shows us the location of that file as well. But we can try to gather it from some dirbuster or maybe Burp Suite. So, it's under the 'images/myweevely.php,' I know that. So, if I hit 'Enter' over there it should actually run that file and send me back the connection. So, if I just come over here and write the URL, and write my password like this. Here we go, I'm inside of the web server apparently, let me just run 'whoami', and here you go, 'www-data'. So, I hacked into the server. If I run 'ls' I can see all the files under the images folder. Great, so it's working. So, we managed to hack into and these are not the files that are on Kali Linux. These are actually the files of the website, where you can browse around here with 'cd..ls', and you can try to upload or download stuff from here as well. But again, there is no reason for us to do that. If we hack into the server then that's it, we can submit it. So, here you go, the unrestricted file upload, but it's not always this easy to upload PHP files. So, you can actually find a lot of HTML injections and other injections in websites in real life, but it's a little bit easy for this to be real. So, you cannot actually upload any PHP files, unless it's configured in a very poor manner. So, I'm going to increase the security level to medium and show you something. So, if I try to upload this 'myweevely.php' right now, as you can see, it says that this file extension is not allowed. So, this happens in real life all the time, because as you can see they try to block something like asp, aspx, php, jsp, exe. So, these are all the files that can be run on the server, so that they can lead to some malicious code. So, rather than that, maybe we can try to change the extension and try to make it work somehow. For example, they blocked the PHP extension definitely. We couldn't upload it. So, maybe we can try to change it to php3, php4 php5. It can still be executed but it may bypass the filters. So, what I'm about to do, I'm going to copy this or change the extension of this in a way, that it may lead for us a good bypass. So, I'm going to use this copy, command cp. So, I'm going to say 'myweevely.php' and copy this into the same server or into the same folder, and just write 'myweevely.php3'. If php3 doesn't work, you can try php4 or 5 as well. So, if I say 'ls' now I have a 'myweevely.php' file but I also have 'myweevely.php3'. Right now let me try this and see if this works or not. So, this will block the php but maybe not php3. So, I'm going to come over here and try to upload this, and here you go. It's already uploaded for me. Now, if I take this link, and if I come over here and run the weevely code one more time with this URL. And of course, we have to specify the password as 123456. If I hit enter, it will again hack into the server. So, if I run 'pwd' I'm inside of this images folder. Here you go, 'whoami', 'www-data'. So, as you can see the real life scenarios or the security hardening things sometimes can be easy to bypass. And we're going to see a lot of examples about this as well. Not exactly about the file upload, but bypassing the filters, bypassing the firewalls, bypassing the security measures that can be in place. Of course, it can be 100% secure. I don't know if we go too hard, maybe we cannot do that. But, there might be some flaws as well. So, we may have to try for any kind of thing that we can think of at a scenario like this. We're going to do some much more different scenarios, and we're going to do much more different operations in other vulnerabilities as I said before. So, we're going to stop here and continue within the next section.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.