This project explores file upload vulnerabilities leading to webshell execution, analyzing their potential impacts and proposing mitigation strategies through real-world testing.
- Goal: Identify risks associated with improper file upload handling and verify potential server compromises.
- Scope: Focus on webshell upload, server file extraction, MIME type handling, and mitigation via server configuration.
⚠️ Note
This project was conducted on a temporary GCP instance created solely for testing purposes.
The server and associated IP address have been deleted, and external access is no longer possible.
- Cloud Platform: Google Cloud Platform (GCP)
- OS: Ubuntu 24.04 (via WSL)
- Web Server: Apache2 + PHP 8.3
- Browser: Chrome
- Uploaded webshells without proper validation.
- Executed remote system commands via uploaded scripts.
- Created and downloaded server file archives without authentication.
- Analyzed server behavior based on MIME type configurations.
- Hardened server security by disabling dangerous PHP functions.
The full report includes:
- Problem identification and motivation
- Testing methodology and findings
- Risk analysis (Potential Impacts)
- Server mitigation strategies (php.ini modifications)
- Conclusion and personal insights
- Minor misconfigurations can lead to major security breaches.
- Disabling dangerous functions at the server level effectively mitigates critical risks.
- Practical testing reveals vulnerabilities more clearly than theoretical study alone.
Through this project, I deepened my understanding of web server vulnerabilities and the importance of proactive security hardening.
Hands-on testing reaffirmed that even small oversights in server configuration can lead to significant risks.
This project is licensed under the CC BY-NC-SA 4.0 License.
- Attribution: You must give appropriate credit.
- NonCommercial: You may not use the material for commercial purposes.
- ShareAlike: If you remix, transform, or build upon the material, you must distribute your contributions under the same license.