Many web-applications have a option of uploading files to the webserver be it images, PDF's, text files etc. If not handled in the right manner these files can be a potential threat to the webserver.. An attacker could send a form data POST request with a typical filename or Multipurpose Internet Mail Extensions(MIME) and can cause Arbitrary Code Execution(ACE).

The first step in many attacks is to get some code to the system to be attacked. Then the exploiter only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. To exploit this vulnerability we mostly use using ASP, ASPX, CFM, JSP, Perl or PHP files. The severity of attack can range from gaining reverse shells to complete system takeover.

Web application should :

1. check for threatening file extensions like .asp, .php etc. before uploading it to server.
   
2. check for files with double extensions for eg. apple.png.php.
   
3. rename files before uploading it to the server.
   
4. change the permissions on the upload folder so the files within it are not executable.
5. check for files without a name like .htaccess.
   

Ok now lets make this article a little interesting! What about exploiting a file upload vulnerability ?

To follow up with the article make sure you are equipped with OWASP Broken Web Applications project. (Incase you don't have that this guide can help you )

1. Make sure the OWASP BWA is running then head over to it's webpage. Then click the encircled link to go to the bricks webpage.

2. After that click the encircled option under 'Bricks' menu

3. Click the first option to proceed to the file upload page

4. Now we can easily upload our code to the web server.
   So we will be uploading a php file php-backdoor.php(present in the repository) to obtain a webshell to the server. This file is extracted from Kali Linux and can be found in /usr/share/webshells/php folder. You can also use other codes present there also but for the sake of this article let's just stick to php-backdoor.php

   Now from choose file option upload the php-backdoor.php file to the web app.

5. Click on 'here' that appears in the success prompt and you will be directed to the webshell.

6. It's all yours now! you just gained access to a webserver without much pain. Try plaing around a little bit, try typing 'ls' in the execute command textbox and click the go button.

7. Well you will see that it only shows our file php-backdoor.php in output. That's because we are using OWASP BWA which is purposely meant for practice of hackers and so it doesn't contain any data but who knows what you might find in some other webapp. :P