Fuse – Tool to Find File Upload Vulnerability

Fuse - Tool to Find File Upload Vulnerability

File Upload Vulnerability Tool

FUSE is a penetration testing system designed to identify Unrestricted Executable File Upload (UEFU) vulnerabilities. The details of the testing strategy is in our paper, “FUSE: Finding File Upload Bugs via Penetration Testing”, which appeared in NDSS 2020. To see how to configure and execute FUSE, see the followings.

Setup and Installation

FUSE currently works on Ubuntu 18.04 and Python 2.7.15.

1. Install dependencies

apt-get install rabbitmq-server
apt-get install python-pip
apt-get install git

2. Clone and build FUSE

git clone https://github.com/WSP-LAB/FUSE
cd FUSE && pip install -r requirements.txt

If you plan to leverage headless browser verification using selenium, please install Chrome and Firefox web driver by refering selenium document.

Configuration

  • FUSE uses a user-provided configuration file that specifies parameters for a target PHP application. The script must be filled out before testing a target Web application. You can check out README file and example configuration files.
  • Configuration for File Monitor (Optional)

Execution

  • FUSE
python framework.py [Path of configuration file]

  • File Monitor
python filemonitor.py

  • Result
    • When FUSE completes the penetration testing, a [HOST] directory and a [HOST_report.txt] file are created.
    • A [HOST] folder stores files that have been attempted to upload.
    • A [HOST_report.txt] file contains test results and information related to files that trigger U(E)FU.

CVEs

If you find UFU and UEFU bugs and get CVEs by running FUSE, please send a PR for README.md

ApplicationCVEs
ElggCVE-2018-19172
ECCube3CVE-2018-18637
CMSMadeSimpleCVE-2018-19419, CVE-2018-18574
CMSimpleCVE-2018-19062
Concrete5CVE-2018-19146
GetSimpleCMSCVE-2018-19420, CVE-2018-19421
SubrionCVE-2018-19422
OsCommerce2CVE-2018-18572, CVE-2018-18964, CVE-2018-18965, CVE-2018-18966
MonstraCVE-2018-6383, CVE-2018-18694
XEXEVE-2019-001

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *

two × 3 =