So many technique that can accessing server via website like SQLi and Hidden Uploader, hidden uploader is a file containing function to upload data that can triggered from the live web or remote exploiting. This is caused because some Administrator that don’t know about program, making the sites vulnerable but this is need a great patience to trying the files that can uploading something.
How to test your site that had hidden uploader, in this case I’ll explain the system works first, you need to scan the web if it had uploader or not, in several case the uploader file name is disguised so it make more tricky to find, disguising your file are making your server more slightly secured.
I want to exploit example.ltd website, then I scan the web page trying to list the available file in the websites. then I found upload.php which is the hidden uploader page, in this case I trying to upload backdoor into the websites, then I test to access my backdoor and if it can be accessed then it has hidden uploader.
How to secure your hidden uploader, I had my few tips to secure your site like:
- Removing Hidden Uploader
- Password on Uploader Page
- File Type Limit
- Choosing FTP rather then Uploader
- Advanced Web File Explorer
with that features it can help out your problem, thank you for reading.