Upload Vulnerabilities
Introduction
General Methodology
Overwriting Existing Files
Lets check the domain they provided for us to practice
Lets look at the source code to see the name of the image on the webpage.
Its called mountains.jpg, lets download another image from the internet and call it mountains.jpg
Lets now upload it.
Remote Code Execution
Lets go to the domain to practice this exploit
Lets run a gobuster scan to find the directory where files are being uploaded.
We have two directories, lets upload our reverse shell and see where it is stored.
Once uploaded successfully, lets go check where the file is.
It is in the /resources directory, now lets start a netcat listener on our machine
Now lets click on the file in the browser and we should get a reverse shell
Lets cd to /var/www and read the flag
Filtering
Bypassing Client-Side Filtering
Lets check the domain
Lets open burp
Lets look at the client side filter script
Looks like only png files are allowed. Lets change our shell file name to shell.png and upload it.
Now lets turn on intercept on burp and capture the upload request.
Now lets send this to repeater and change the filename and content-type
Now lets send it and check if we can upload it successfully
And we can, so lets change the filename and content-type in the proxy tab and upload the file.
Now lets run a gobuster scan to find the place where files are being uploaded.
We found the file, lets start a netcat listener on our machine
Now lets click on the file name
We have a shell. Lets cd to /var/www and read the flag
Bypassing Server-Side Filtering: File Extensions
Lets check the webpage
Lets type in select
in the terminal to select different files and see what extension is allowed. After testing a bit, I found out that php file are not allowed, but jpg images are allowed, so lets change the extension of our shell.php file.
Now lets upload it. After that lets find the directory where the file is being uploaded with gobuster.
Lets check the /privacy directory.
Looks like the files are being uploaded here and we see our file here, lets start a netcat listener
Now lets click on the file.
We have a shell, lets read the flag
Bypassing Server-Side Filtering: Magic Numbers
Lets check the webpage
Lets first check what type of files are allowed.
Looks like we have our answer, lets change the hex values in the starting of the file to GIF. Lets first add 4 A's to the start of the shell.php file.
Now lets open it with hexeditor.
Now lets change it to the GIF image values.
Now lets save it and upload it.
Now lets run a gobuster scan to find where the file has been uploaded.
Lets check the graphics directory
Looks like we are not allowed to access this directory, but we can assume that the file has been uploaded here, so lets start a netcat listener and travel to the URL where the file is located (assuming).
It looks like the file is not being executed. After looking at the file for a while, I realized it was missing a < symbol before thee ?php text, lets add that.
Now lets save it and upload it and then go to the URL
We got a shell, lets read the flag.
Example Methodology
Challenge
Lets visit the webpage
Looks like we can upload files here, lets first run a gobuster scan to find the page where the files are being uploaded or where we can execute uploaded files
All of the directories are not found except the /admin directory. Let check it.
We can execute files here. Lets look at the source of the web page
We have a upload.js file, lets look at it
Looks like there is a file size, magic number and file extension check. We can also see that if the file extension is not jpg or jpeg, the file will not be allowed.
Also Wappalyzer tells us that Node.js is being used
So lets use a node.js payload, which we can find here.
Lets copy this to our machine and call it bypass.js, make sure to change the IP and the Port
Now we need to find a way to bypass the filter. So lets capture the request in Burp and see what we can do. First we have to change some options. Go into the options tab in Proxy and click edit on Intercept Client Requests.
Now lets remove the ^js$
part of it and hit ok. Lets request the page and capture the request. After forwarding a few packets you should see this page.
It is the upload.js page, now lets right click and go to Do intercept and then click Response to this request.
After forwarding a few pages you should see this page (If not clear the cache using Ctrl + F5)
Now lets remove the filters
Now lets forward the request. Now lets we have removed client side filter but we still have to bypass the server side filter. Lets now upload our bypass.js file but lets change the extension and the name to shell.jpg. Once uploaded lets run gobuster to see where the file is and what name it is.
Lets check all the files and see which one gives us an error as our file is an ASCII file and not a js
file.
Looks like we found the file, lets start a netcat listener.
Lets go to the admin page to execute the file
We have a shell, lets read the flag.
Last updated