Introduction to File Upload Attack with Alibaba Cloud

Overview

On websites, we usually find features to do file upload. At the same time, file upload is one of the attacks of cyber security. We need to take care of our system, so that our customer feel satisfied and secure when using our applications.

In this page, we are going to do introduction to file upload attack and we will use Alibaba Cloud resources.

Prerequisites

  1. ECS

Implementation

We only need one instance ECS.

NameEIP
server-ecs47.88.52.172

It has simple website, there are few menu. In this menu, we just need to focus on “Upload Picture”.

Experiment 1

We use legitimate image as sample to upload.

And our image can be loaded. Hmm? Looks suspicious.

Let’s try another experiment

Experiment 2

We try simple .php file named server.php

<?php phpinfo(); ?>

And let’s try to upload.

In this experiment, it results that it’s possible to see the version of php and other information. It looks so vulnerable.

Experiment 3

In the last experiment, i think we will use backdoor.

We will upload webshell, is it work or not? let’s try!

We will use b374k as webshell.

It shows that this “file upload” can be critical, because can load all directories included configurations, code, etc.

The suggestion is to set filter on extension of file, etc.

Reference

Labex.io

Published by boy.suganda

My name is Boy Suganda Sinaga. I worked as Site Reliability Engineer (SRE) at Shipper Indonesia. I'm still developing my skill, both hard-skill and soft-skill. Let's work together, to bring better future for others.

Leave a Reply

Your email address will not be published. Required fields are marked *