{"id":16130199,"url":"https://github.com/lambdacasserole/unrestricted-file-upload-exercise","last_synced_at":"2025-04-06T14:16:30.089Z","repository":{"id":207916672,"uuid":"712147443","full_name":"lambdacasserole/unrestricted-file-upload-exercise","owner":"lambdacasserole","description":"A deliberately vulnerable web application exhibiting an unrestricted file upload vulnerability.","archived":false,"fork":false,"pushed_at":"2024-04-13T19:09:10.000Z","size":816,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-12T20:19:32.599Z","etag":null,"topics":["cybersecurity","intentionally-vulnerable","lecture-material","resume","teaching","teaching-materials"],"latest_commit_sha":null,"homepage":"","language":"CSS","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/lambdacasserole.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-10-30T22:17:28.000Z","updated_at":"2023-11-18T11:22:07.000Z","dependencies_parsed_at":null,"dependency_job_id":"09426079-b2d0-481c-a683-0c5caa9606b7","html_url":"https://github.com/lambdacasserole/unrestricted-file-upload-exercise","commit_stats":null,"previous_names":["lambdacasserole/unrestricted-file-upload-exercise"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lambdacasserole%2Funrestricted-file-upload-exercise","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lambdacasserole%2Funrestricted-file-upload-exercise/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lambdacasserole%2Funrestricted-file-upload-exercise/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/lambdacasserole%2Funrestricted-file-upload-exercise/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/lambdacasserole","download_url":"https://codeload.github.com/lambdacasserole/unrestricted-file-upload-exercise/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247492546,"owners_count":20947545,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","intentionally-vulnerable","lecture-material","resume","teaching","teaching-materials"],"created_at":"2024-10-09T22:14:58.072Z","updated_at":"2025-04-06T14:16:30.061Z","avatar_url":"https://github.com/lambdacasserole.png","language":"CSS","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Unrestricted File Upload Exercise\n\nThis repository contains a deliberately vulnerable web application exhibiting an unrestricted file upload vulnerability.\n\n\u003e [!WARNING]\n\u003e Use these materials sensibly and legally please. Using any of the techniques discussed here against any website when you have not been granted explicit permission (in writing!) to do so is a serious criminal offence that will get you in trouble very quickly.\n\n## Purpose\n\n![Screenshot](screenshot.png)\n\nI use this as part of a practical activity in my seminars on cybersecurity for business students. It allows students to get hands-on in conducting a cyberattack aimed at defacing a website/exfiltrating data from it without leaving the browser.\n\n## Setup\n\n\u003e [!CAUTION]\n\u003e Do not deploy this intentionally vulnerable web application on any webserver unless you don't mind destroying it.\n\nThis project is designed to run on a LAMP stack. \n\nFirst, you'll need to install PHP dependencies for the victim service, which are managed by Composer. Do so like this:\n\n```bash\ncd victim-service\nwget https://getcomposer.org/composer.phar\nphp composer.phar install\n```\n\nOr, if you already have Composer installed:\n\n```bash\ncomposer install\n```\n\nNow, configure Apache to separately serve (under different subdomains, for example) the two folders under the root of this project (`/attacker-service` and `/victim-service`). Alternatively, to run the project locally, ensure that PHP 7.0+ is installed and run the following from either of the aforementioned folders:\n\n```bash\nphp -S localhost:8080\n```\n\nYou'll then be able to access the relevant web application at:\n\n```\nhttp://localhost:8080\n```\n\n### Deployment\n\nIf you want to add this application to your vhosts, config files are included in the `/vhosts` folder to get you started. \n\nRename these, update them with your server names/document roots and copy them to `/etc/apache2/sites-available`. Activate them with `a2ensite` and run `letsencrypt` or similar to configure HTTPS automatically.\n\n## Usage\n\nFollow this workflow to conduct the cyberattack on the web application:\n\n1. First, visit the attacker service. \n2. You should see 3 files here. Download the file `test.jpeg` to your computer in your downloads folder.\n3. Now, upload this file to the web application via the file upload box and click \"Submit CV!\"\n4. Browse to `/uploads/test.jpeg` and you should see your file. Now you know where files are stored once they are uploaded.\n5. Next, go back to the attacker service and download `testvuln.php.txt` to your computer.\n6. Rename this file by removing the `.txt` extension, leaving just `testvuln.php`.\n7. Now, upload this to the site as you did with the image in step 3.\n8. Now browse to `/uploads/testvuln.php` You'll see the web server spitting out a bunch of information about itself. This means that you are able to upload and execute PHP code on the web server.\n9. Now, repeat steps 5-7 with `shell.php.txt`, available from the attacker service.\n10. Now, carefully enter the following in your browser address bar after the domain: `/uploads/shell.php?cmd=cat /etc/passwd`\n11. You should see that you've executed a command to steal information about users on the server.\n12. Finally, carefully enter the following in your browser address bar after the domain: `/uploads/shell.php?cmd=echo Hacked! \u003e ../index.php`\n13. You should now see that the vulnerable web application shows the message `Hacked!`, and the web application is no longer available.\n\n### Patching the Application\n\nIn case the audience is more technical, you may want to show how to patch the vulnerabilities in the application.\n\nTo do so, perform a project-wide search for `TODO` to find each code change that needs to be made. Patched code is included as comments.\n\nApache will need to be reconfigured to disallow the download of files in `/uploads`. Do this my renaming `.htaccess.patch` (under `/victim-service/uploads`) to `.htaccess`. Ensure that your Apache installation [allows .htaccess overrides](https://httpd.apache.org/docs/2.4/howto/htaccess.html) in the web root directory.\n\n## Acknowledgements\n\nThe following libraries are used by the project frontend, but are included from CDNs (i.e. not dependency-managed) for ease of deploying the project and resetting it for the next group of students. This means you'll need internet connectivity to run the project properly (even on local):\n\n* [jQuery v3.5.1](https://jquery.com)\n* [jQuery UI Easing v1.4.1](https://jqueryui.com/easing/)\n* [Bootstrap v4.5.0](https://getbootstrap.com/docs/4.0/getting-started/introduction/)\n* [FontAwesome v5.13.0](https://fontawesome.com/v5/search)\n\nFonts used include: \n\n* [Saira Extra Condensed](https://fonts.google.com/specimen/Saira+Extra+Condensed)\n* [Mulish](https://fonts.google.com/specimen/Mulish)\n\nThe frontend for this project is based on the [StartBootstrap Resume Template](https://startbootstrap.com/theme/resume).\n\n## Copyright and License\n\nCopyright 2023 Saul Johnson. Code released under the [MIT](https://github.com/StartBootstrap/startbootstrap-blog-post/blob/gh-pages/LICENSE) license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flambdacasserole%2Funrestricted-file-upload-exercise","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flambdacasserole%2Funrestricted-file-upload-exercise","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flambdacasserole%2Funrestricted-file-upload-exercise/lists"}