Upload Vulnerabilities

Introduction

General Methodology

Overwriting Existing Files

Lets check the domain they provided for us to practice

Lets look at the source code to see the name of the image on the webpage.

Its called mountains.jpg, lets download another image from the internet and call it mountains.jpg

Lets now upload it.

Remote Code Execution

Lets go to the domain to practice this exploit

Lets run a gobuster scan to find the directory where files are being uploaded.

We have two directories, lets upload our reverse shell and see where it is stored.

Once uploaded successfully, lets go check where the file is.

It is in the /resources directory, now lets start a netcat listener on our machine

Now lets click on the file in the browser and we should get a reverse shell

Lets cd to /var/www and read the flag

Filtering

Bypassing Client-Side Filtering

Lets check the domain

Lets open burp

Lets look at the client side filter script

Looks like only png files are allowed. Lets change our shell file name to shell.png and upload it.

Now lets turn on intercept on burp and capture the upload request.

Now lets send this to repeater and change the filename and content-type

Now lets send it and check if we can upload it successfully

And we can, so lets change the filename and content-type in the proxy tab and upload the file.

Now lets run a gobuster scan to find the place where files are being uploaded.

We found the file, lets start a netcat listener on our machine

Now lets click on the file name

We have a shell. Lets cd to /var/www and read the flag

Bypassing Server-Side Filtering: File Extensions

Lets check the webpage

Lets type in select in the terminal to select different files and see what extension is allowed. After testing a bit, I found out that php file are not allowed, but jpg images are allowed, so lets change the extension of our shell.php file.

Now lets upload it. After that lets find the directory where the file is being uploaded with gobuster.

Lets check the /privacy directory.

Looks like the files are being uploaded here and we see our file here, lets start a netcat listener

Now lets click on the file.

We have a shell, lets read the flag

Bypassing Server-Side Filtering: Magic Numbers

Lets check the webpage

Lets first check what type of files are allowed.

Looks like we have our answer, lets change the hex values in the starting of the file to GIF. Lets first add 4 A's to the start of the shell.php file.

Now lets open it with hexeditor.

Now lets change it to the GIF image values.

Now lets save it and upload it.

Now lets run a gobuster scan to find where the file has been uploaded.

Lets check the graphics directory

Looks like we are not allowed to access this directory, but we can assume that the file has been uploaded here, so lets start a netcat listener and travel to the URL where the file is located (assuming).

It looks like the file is not being executed. After looking at the file for a while, I realized it was missing a < symbol before thee ?php text, lets add that.

Now lets save it and upload it and then go to the URL

We got a shell, lets read the flag.

Example Methodology

Challenge

Lets visit the webpage

Looks like we can upload files here, lets first run a gobuster scan to find the page where the files are being uploaded or where we can execute uploaded files

All of the directories are not found except the /admin directory. Let check it.

We can execute files here. Lets look at the source of the web page

We have a upload.js file, lets look at it

Looks like there is a file size, magic number and file extension check. We can also see that if the file extension is not jpg or jpeg, the file will not be allowed.

Also Wappalyzer tells us that Node.js is being used

So lets use a node.js payload, which we can find here.

Lets copy this to our machine and call it bypass.js, make sure to change the IP and the Port

Now we need to find a way to bypass the filter. So lets capture the request in Burp and see what we can do. First we have to change some options. Go into the options tab in Proxy and click edit on Intercept Client Requests.

Now lets remove the ^js$ part of it and hit ok. Lets request the page and capture the request. After forwarding a few packets you should see this page.

It is the upload.js page, now lets right click and go to Do intercept and then click Response to this request.

After forwarding a few pages you should see this page (If not clear the cache using Ctrl + F5)

Now lets remove the filters

Now lets forward the request. Now lets we have removed client side filter but we still have to bypass the server side filter. Lets now upload our bypass.js file but lets change the extension and the name to shell.jpg. Once uploaded lets run gobuster to see where the file is and what name it is.

Lets check all the files and see which one gives us an error as our file is an ASCII file and not a js file.

Looks like we found the file, lets start a netcat listener.

Lets go to the admin page to execute the file

We have a shell, lets read the flag.

Last updated