What is File Upload Lab and How to Setting up Damn Vulnerable File Upload Lab?

File upload vulnerabilities occur when an application allows a user to upload a file, such as a picture or a document, to a server. If the application does not correctly validate the file, an attacker may be able to upload a malicious file that could compromise the server's security. This can allow the attacker to execute arbitrary code on the server, or to access sensitive information stored on the server.

Several types of attacks can be used to exploit file upload vulnerabilities. For example, an attacker may try to upload a file that contains malicious code, such as a PHP script or an executable file. The attacker could then access the file from the server and execute the code, potentially gaining access to sensitive data or taking control of the server.

Another type of attack that can be used to exploit file upload vulnerabilities are called "cross-site scripting" (XSS). This type of attack involves injecting malicious code into a website, which is then executed by the victim's web browser. If a user is tricked into uploading a file that contains XSS code, the code could be executed on the server and potentially compromise the security of the system.


Set up DVFU

Let's go straight to demonstrate file upload vulnerability using the Damn Vulnerable File Upload Lab web application. Damn Vulnerable File Upload Lab is designed to practice File Upload vulnerabilities. Before getting started, our first priority is to set up this web application within our local machine.

Follow the below steps to set up the server:

1. To set up the File Upload Lab web application, firstly, we have to clone it from GitHub. 

┌──(kali㉿kali)-[~]
└─$ git clone https://github.com/LunaM00n/File-Upload-Lab.git
Cloning into 'File-Upload-Lab'...
remote: Enumerating objects: 182, done.
remote: Counting objects: 100% (15/15), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 182 (delta 13), reused 13 (delta 13), pack-reused 167
Receiving objects: 100% (182/182), 895.80 KiB | 202.00 KiB/s, done.
Resolving deltas: 100% (74/74), done.
                                                                                                                               
┌──(kali㉿kali)-[~]
└─$

2. Now, we will have to copy the DVFU directory to the web directory. 

┌──(kali㉿kali)-[~]
└─$ ls                        # To List Files and Directories
Desktop  Documents  Downloads  File-Upload-Lab  Music  Pictures  Public  Templates  Videos
                                                                                                                               
┌──(kali㉿kali)-[~]
└─$ cd File-Upload-Lab        # Change The Directories to File Upload Lab 
                                                                                                                               
┌──(kali㉿kali)-[~/File-Upload-Lab]
└─$ ls                       # To List Files and Directories
 DVFU  'File Upload Attack.pdf'   README.md   tester.php
                                                                                                                               
┌──(kali㉿kali)-[~/File-Upload-Lab]
└─$ sudo cp -r DVFU /var/www/html        # Copy the DVFU directories to web Directories
[sudo] password for kali: 
                                                                                                                               
┌──(kali㉿kali)-[~/File-Upload-Lab]
└─$ cd /var/www/html                    # Change the Directories to Web Directories
                                                                                                                               
┌──(kali㉿kali)-[/var/www/html]
└─$ ls -al                    # List the Files and directories
total 28
drwxr-xr-x 3 root root  4096 Jan  9 10:45 .
drwxr-xr-x 3 kali kali  4096 Aug  8 06:05 ..
drwxr-xr-x 5 root root  4096 Jan  9 10:45 DVFU
-rw-r--r-- 1 root root 10701 Aug  8 06:09 index.html
                                                                                                                               
┌──(kali㉿kali)-[/var/www/html]
└─$ sudo chmod -R 777 DVFU        # Give an executable File Permission to DVFU
                                                                                                                               
┌──(kali㉿kali)-[/var/www/html]
└─$

3. Now, let me run the apache2 service.

┌──(kali㉿kali)-[/var/www/html]
└─$ sudo service apache2 start

4. Once the Apache2 service starts, we can easily access the web application through any browser.

If you have noticed, we are presented with various levels of an HTML form that asks us to upload a file.

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!