Help with File Upload Vulnerability

Dears,

I uploaded weevily shell to the webserver for the company that I’m working with, but the web application adds random public id to the name of the file, I discovered where the files are but I don’t know the actual file name after it is uploaded. is there any way to bypass the public ID.

Here, for example, a name of an image “online.jpg” after it is uploaded became “5f439cd08ddd4 _online.jpg” how to bypass the id added to it instead of doing the brute force in order to have a reverse shell using weevely.

Many thanks in advance. :blush:

The website is storing the files after hashing the filename with some hashing algorithm probably or maybe adding random strings. You have to know what type of random thing they are adding and how. You cannot bypass that as anything you upload, it will change the filename and save it.

1 Like

Thanks Apurv, I managed to get the exact file name and location, it still replaces dots with underscores, the name of backdoor is hackk.php.jpg it replaces it with 5f44f428a585c_hackk_php.jpg, the site is vulnerable as it doesn’t replace the whole file to a safe one, it only changes its name. so is that enough security for it or the replacing function can be bypassed?

If you can run the said php file then the security is not enough. If the website has a function to check whether it is really an image file then the security is good. In this case, changing only the name is not enough as it still has the original filename in there. Also, if it didn’t have the original file name, changing only the name is not enough.

1 Like

Yes, it is the orignal file stored on the server but only the name is changed, the only obstacle that prevents me from executing the backdoor is that the server replaces all the dots except for the last dot to underscores, besides it only uploads files with jpg or png extensions, so when I name the backdoor to hackk.php or hack.txt it won’t be uploaded however if I named the file to hackk.php.jpg it will be uploaded but the issue here is the dot before php in hack.php.jpg will be replaced with an underscore, I’m trying to figure out a way how to bypass that security function just to prove my employer that the server is file upload vulnerable. I’m fully authorized to hack the server and they only count on having full control and accessing customers data. So if there is a way to execute the file, please let me know.

I think the converting of dot to an underscore is a good practice for anyone to stop uploading any executable files. I can’t think of anything to bypass that but there may be something you can find on the Internet.