Remote Code Execution (RCE) via File Upload

General Requirements for Remote Code Execution Reports

---

• Provide full demonstration of commands or code execution and its output when possible.

• Demonstrate various commands (ping, nslookup, wget, dir, ls, etc.) if possible.

• DNS/HTTP callbacks should try to include a system environment variable in the callback address to prove proper code execution.

• Videos are highly recommended as hosts/targets may become unavailable.

---

Template Contents

---

Title:

Remote Code Execution at {URL or HOST IP} via File Upload

---

Description:

The application or host at {URL or HOST IP} was determined to be vulnerable to Remote Code Execution (RCE) via a file upload vulnerability. A {authenticated or unauthenticated} user is able to upload a file to execute arbitrary code on the underlying operating system. The following report will outline this attack.

---

Impact:

The following are some common impacts of this attack:

• An attacker who is able to execute such a flaw is usually able to execute commands with the privileges of the application on the web server.

• Remote Code Execution can lead to a full compromise of the vulnerable web application/host, thus affecting the confidentiality and integrity of the data stored.

---

Recommended Fix:

The following methods can be used to remediate this issue:

• Limit file formats that users can upload.

• Check the file extension against a whitelist of permitted extensions.

• Do not upload files to the server's permanent filesystem until they have been fully validated by AntiVirus.

• Never accept a filename and its extension directly without having a whitelist filter.

• The uploaded directory should not have any "execute" permissions.

For addtional information see: Unrestricted File Upload|OWASP Foundation

---