In this blog, we are going to test Unrestricted File upload vulnerability on XVWA application with OWASP CRS && CWAF 1.128 (latest version) Ruleset.

Test Scenario

1. Test Unrestricted File Upload Vulnerability with OWASP CRS:

OWASP CRS block possible malicious files upload i.e .php files from getting compromised by .php shell, but still we are able to find little flaw in the OWASP CRS.

CRS Rule Analysis:

Rule ID: 933110
PHP support Extension: .php, .phtml, .php3, .php4, .php5, .php7, .phps
Regex Expression: .*\.(?:php\d*|phtml)\.*$

Test the Regex expression Here or on other online regex testing website. Try to understand how actually the regex detect the file extension .php?

  .  - Any character
  *  - Zero or more character
  \d - A digit [0-9]
  ?: - A non-capturing group

Regex Overview:

Regex pattern detects, if the user upload a file as .php or .php1 or .php2 or .php3 or .php4 or .php5 or .php7. But it failed to detect the .phps extension, because they never included the .phps in regex pattern to detected by OWASP CRS.

Anyway it not a bug :), even the file .phps was uploaded successfully in the server, it has no use, as default cofiguration on apache php5 or php7.conf in /etc/apache2/mods-available/ will denied the file with .phps to get executed on apache server.

Phase 1: We have successfully upload a .phps file on the server

Phase 2: Lets think little different scenario, if .htaccess has been enabled on this apache server. then it going to be a loop hole for us to get easily bypass OWASP CRS

Note: From the analysis of OWASP CRS, We foud that it does not have any rules to block uploading .htacess file.

So we need to create .htaccess file to allow .phps to execute as file type application/x-httpd-php (or) we can allow any file extension which is not be detected by the OWASP CRS can be execute as application/x-httpd-php. i.e .phps as .php (or) jpg as .php. Let created a .htaccess file to see how it works.

#.htaccess file to be uploaded on the vulnerable server <br/>
<FilesMatch ".+\.phps$"> <br/>
    SetHandler application/x-httpd-php<br/>
    Require all granted<br/>

once you have upload the .htacess file in the server, then let check the previously upoaded .phps file in the browser. .phps file will be sucessfully executed on server and we get phpinfo page. Finally we have bypassed OWASP CRS in uploading the .php shell

2. Testing Unrestricted File Upload Vulnerability with CWAF 1.128

When i am started testing with CWAF Rules, it does not take much time to bypass file upload restriction. Becuase when i am going through the CWAF rules, i understand they have no rules to block malicious file upload i.e .php file, which make us easily to upload any .php file on the server.

Important: CWAF failed to detect these following payload, which lead us to upload shell on the server.

  • .php, .phtml, .php3, .php4, .php5, .php7, .phps

Let try uploading the C99 or 404 error shell. Boom! We have upload 404 shell on the server and got acess to the internal server path


Finally we are able to bypass OWASP & CWAF ruleset and upload malicious file in the server.

Rules Comments
OWASP CRS Good and Hard to bypass, but still it possible depends upon the scenario like .htaccess enabled on the server && no rule to block .htaccess file upload.
CWAF 1.128 No rules to block malicious file upload, more rules should be updated to prevent the application from common OWASP Top 10 vulnerability. Rules should be deployed & tested in real time environment i.e testing rules on the vulnerable application

Note: OWASP CRS does not block uploading other flle extension like .exe, .py , .sh ..etc, it block only .php file upload. Because based on the application, .php shell upload has high impact on the server and application level. so regex was written in OWASP CRS to block only .php file upload

Demo Video