File upload functionality is one of the most commonly implemented features in modern web applications, allowing users to upload images, documents, or other content as per the application/business requirements. However, if this functionality is not securely implemented, it can lead to severe security issues. In Damn Vulnerable Web Application (DVWA), the File Upload challenge at the low security level demonstrates how improper validation can allow attackers to upload malicious files and gain unauthorized access to the system.
At the low security level, DVWA does not implement any effective validation on uploaded files. There are no checks for file type, extension, MIME type, or content. This means an attacker can directly upload a malicious file, such as a PHP web shell, without any restrictions. Once uploaded, the file is stored in a web-accessible directory, making it easy to execute through the browser.
If you prefer a visual walkthrough, I've explained the entire challenge in this video, covering each step in detail — https://www.youtube.com/watch?v=NJixdFJq_Ac
To exploit this vulnerability, an attacker can create a simple PHP file containing malicious code, such as a command execution script. This file can then be uploaded through the application's upload functionality. After a successful upload, the application provides a path to the file, which can be accessed via the browser. Since the server processes PHP files, the attacker's code gets executed, potentially leading to full system compromise depending on server permissions. Follow the below mentioned steps to reproduce the scenario - Login to DVWA and go to challenge We will try to upload a simple backdoor file avaialable in Kali and will exploit that Browse the file to upload File uploaded successfully — ../../hackable/uploads/simple-backdoor.php succesfully uploaded! To exploit, we need to go to the directory where uploaded file is present Usage — Usage: http://target.com/simple-backdoor.php?cmd=whoami Provide basic OS commands in cmd field to check exploit and we can even execute sensitive commands Challenge Solved..
This vulnerability is a classic example of Unrestricted File Upload, which can lead to Remote Code Execution (RCE). In real-world scenarios, attackers often use this technique to upload web shells, backdoors, or even malware, enabling persistent access and further exploitation of the system.
To mitigate such vulnerabilities, developers must enforce strict validation mechanisms. This includes validating file extensions against an allowlist, verifying MIME types, renaming uploaded files, storing them outside the web root, and disabling execution permissions in upload directories.
In conclusion, the DVWA File Upload (Low Security) challenge highlights the importance of secure file handling practices. While this implementation is intentionally vulnerable for learning purposes, it serves as a critical reminder that improper validation can lead to severe consequences if replicated in real-world applications.