cybNg.com

DVWA file upload

Previous Next

You can completely hack the website by uploading any file.


What is File upload attack

File upload attack is considered to be a very dangerous kind of attack. In this attack, the hacker uploads the injected file (such as a payload, shell or php file that exicute according to the hacker) and the entire control of the website is in his hands, even the cpanel can be controlled.

💡 Deface the website completely, or ruin the entire website of the company by this method

Security Low

First example : upload a html script file

  1. First of all create a HTML file which contains JavaScript alert
  2. Then upload this HTML file, it will be uploaded easily in Low Security.
  3. The most important thing is to find the location of the file where this file is uploaded. If you are unable to find the location of the file after uploading, then you will not be able to hack.
<!--Example HTML code file which contains JavaScript alert-->
<html>
<head></head>
<body>
<script type="text/javascript">
alert("website hacked");
</script>
</body>
</html>


Save this file as hack.html


Upload this file after saving html file

The location can be seen here after the file is uploaded

Now open the uploaded file location



Security Medium

Needed Tool : Burpsuite

  1. First open the burpsuite tool and turn on the intercept ( click here to setup burpsuit)
  2. Now create a HTML file which contains JavaScript alert and save as like filename.php.jpg
  3. Now click on upload and open burpsuit.
  4. Now follow this example
//My file is saved on the local server under the name index.html 192.168.43.170/test/index.html

Previous Next
cybNg Designed for learning, testing and training. Examples are simplified to improve reading and basic understanding, tutorials and examples are constantly reviewed to avoid over-comprehension and errors, but we cannot warrant the complete accuracy of all content. While using this site, you agree to read and accept our use, cookie and privacy policy. All the information given in it is made for education purpose only, there will be no responsibility of this website or this organization for misuse of the information given in it. We hope that all the information provided in it is good for our students. So that it helps improve the cyber world.