Kali Linux

FUSE : A Penetration Testing Tool For Finding File Upload Bugs

FUSE is a penetration testing system designed to identify Unrestricted Executable File Upload (UEFU) vulnerabilities. The details of the testing strategy is in our paper, “FUSE: Finding File Upload Bugs via Penetration Testing”, which appeared in NDSS 2020. To see how to configure and execute FUSE, see the followings.

Setup

Install

FUSE currently works on Ubuntu 18.04 and Python 2.7.15.

  • Install dependencies

#apt-get install rabbitmq-server
#apt-get install python-pip
#apt-get install git

  • Clone and build FUSE

$ git clone https://github.com/WSP-LAB/FUSE
$ cd FUSE && pip install -r requirements.txt

If you plan to leverage headless browser verification using selenium, please install Chrome and Firefox web driver by refering selenium document.

Usage

Configuration

  • FUSE uses a user-provided configuration file that specifies parameters for a target PHP application. The script must be filled out before testing a target Web application. You can check out README file and example configuration files.
  • Configuration for File Monitor (Optional)

$ vim filemonitor.py

10 MONITOR_PATH=’/var/www/html/’ <- Web root of the target application
11 MONITOR_PORT=20174 <- Default port of File Monitor
12 EVENT_LIST_LIMITATION=8000 <- Maxium number of elements in EVENT_LIST

Execution

  • FUSE

$ python framework.py [Path of configuration file]

File Monitor

$ python filemonitor.py

  • Result
    • When FUSE completes the penetration testing, a [HOST] directory and a [HOST_report.txt] file are created.
    • A [HOST] folder stores files that have been attempted to upload.
    • A [HOST_report.txt] file contains test results and information related to files that trigger U(E)FU.

CVEs

If you find UFU and UEFU bugs and get CVEs by running FUSE, please send a PR for README.md

ApplicationCVEs
ElggCVE-2018-19172
ECCube3CVE-2018-18637
CMSMadeSimpleCVE-2018-19419, CVE-2018-18574
CMSimpleCVE-2018-19062
Concrete5CVE-2018-19146
GetSimpleCMSCVE-2018-19420, CVE-2018-19421
SubrionCVE-2018-19422
OsCommerce2CVE-2018-18572, CVE-2018-18964, CVE-2018-18965, CVE-2018-18966
MonstraCVE-2018-6383, CVE-2018-18694
XEXEVE-2019-001
Download
R K

Leave a Comment
Share
Published by
R K
Tags: Finding File Upload BugsFUSEPenetration Testing Tool
5 years ago

Recent Posts

Best OSINT Tools for Journalists 2026: Verify Sources, Images and Claims

Journalists use OSINT to verify public information before publishing. In 2026, misinformation, AI-generated images, fake…

9 hours ago

Install Docker on Ubuntu 20.04: Complete Step-by-Step Guide

Docker is an open-source platform that lets you package and run applications inside containers. Each container…

20 hours ago

Install PostgreSQL on Ubuntu: Database Setup and Admin Guide

PostgreSQL (often called Postgres) is an open-source relational database system. It supports advanced features like JSON…

21 hours ago

Install Xrdp Remote Desktop on Ubuntu: Setup and Connect

Xrdp is an open-source server that lets you connect to your Ubuntu machine from another computer…

21 hours ago

Tomcat 9 on Ubuntu 20.04: Install, Configure, and Start

Apache Tomcat is an open-source web server and Java servlet container. It is one of the…

21 hours ago

Automatic Updates on Ubuntu: Set Up unattended-upgrades

Keeping your Ubuntu system updated is one of the best ways to protect it. Security…

22 hours ago