Geek Answers Handbook

Code execution from downloaded files

I am doing a security audit on my friend's website. One functionality allows users to download files from html. The only check is to rename the file to the current timestamp.

I was wondering if there is a way to download a malicious file so that when the user navigates to the URL for that file, it executes the code (server side)?

I tried to load the hello-world php script, but it just displays the code, not executes it. If the file extension was .php, it would be executed, however there is no file extension (since the file was renamed).

EDIT: I have access to the full source code as part of a security audit. It would be better if I could solve this problem without using it, but if necessary I can answer any questions about the source code.

+4
source share
5 answers

As far as I know, downloading a file and viewing it through. the browser cannot execute it on the server side if the server is not configured to execute files without extensions. However, if there are other vulnerabilities such as Local File Inclusion, you can download and execute a php script.

You can read a little about attaching files here: Wiki on RFI (almost the same thing) and here the LFI Document and how it can be used

If you can execute the file or not, it depends on the server / site settings, so you will have to manually test it if you can execute the php script.

The only thing you can do in a file without an extension is, as you say, XSS itself, but only in older browsers (IE8 and down are vulnerable, most other browsers do not.)

+1
source

Chorizo Security Scanner! may be of interest:

https://chorizo-scanner.com/

The solution was implemented by a company that conducts daytime consultations and PHP coding.

This is a paid service. One scan is free.

+1
source

Well, one thing that you will always put at risk is the ability to get malicious code on the server - regardless of whether they can execute it just by looking at the URL of a particular file, not all you have to think about.

If your code has a vulnerability in which you dynamically enable or open local files on the server, then you can simply turn on (now) the local malicious code that will be executed. This attack is currently being provided, even common for people trying to enable code on remote servers, but some settings are configured to prevent the inclusion of remote files that would stop these attacks. Such a configuration will leave you vulnerable anyway if the code is physically located on the machine and weakness is detected in your executable code.

It’s just a thought - I wouldn’t worry or panic too much about it, but I wouldn’t rule it out either.

0
source

In my opinion, many web products depend on reading files that are not actually running. The server will require certain permissions to execute the file.

The solution is, firstly, to verify that the downloaded file types are allowed. If you upload only images, you do not expect a .php script. But that does not stop me from creating bad.php and loading it as bad.jpg.

For example, I (on my ubuntu box) downloaded a php file with 777 rights and was able to run it by typing php hello.php . Usually you do not include () in a file that someone uploaded, so I find most of the code is readable.

The Wikipedia page on file inclusion is a good start and includes a PHP example: https://en.wikipedia.org/wiki/File_inclusion_vulnerability

0
source

Download the file using javascript. There are many js vulnerabilities.

http://en.wikipedia.org/wiki/Cross-site_scripting

-2
source

More articles:


All Articles