Level 1: Introducing File upload vulnerability

Let's visit the Level 1 section, and see if we can upload and run our own PHP script on the backend:

In this section, there will be no security restrictions, so it means, we can upload malicious files. Let’s see, if we can upload and run our own PHP script on the backend. 

     $files = @$_FILES["files"];
     if ($files["name"] != '') {
         $fullpath = $_REQUEST["path"] . $files["name"];
         if (move_uploaded_file($files['tmp_name'], $fullpath)) {
             echo "<a href='$fullpath'>uploaded image</a>";
         echo '<form method=POST enctype="multipart/form-data" action="">
               <input type="file" name="files">
               <input type=submit value="Upload File"></form>';

Let's create a simple PHP file containing the following code, which displays the PHP information.

echo phpinfo();

The preceding code executes the phpinfo() when executed by a PHP interpreter. We use this to check if the uploaded PHP file is successfully executed on the server side or not.

We get a successful upload message and path information for the file as well. Let's try to access the file to see if PHP code execution is possible on the server.

Look at that! Our PHP code ran on the server successfully. This payload was benign and only intended for testing. 

Post a Comment

If you have any doubts or any queries you can specify here.

Previous Post Next Post