Exploiting More Advanced File Upload Vulnerabilities

Exploiting More Advanced File Upload Vulnerabilities

OK, so now that we managed to upload files using the easy and the medium difficulties, let's try it

with the high.

So first of all, I'm going to turn off my interceptor so I can use this website.

Normally, we're going to go through the security settings.

We're going to set it to high.

We're going to submit.

And let's go back to the file upload as usual.

Let's first of all, make sure that the functionality works by uploading a normal file that the Web

application expects.

So let's upload a normal image in my downloads and we are going to click on Upload and Perfect.

The JTR image gets uploaded with no issues.

So the next step is going to be uploading a file.

So you want to keep things simple.

Now, I'm not going to waste your time.

I tried uploading a normal file and it did not work.

Therefore, let's try the trick that we did in the previous lecture.

So we're going to turn on the interceptor and we're going to upload a file in my route in here.

And it's the same shell, but we changed its file extension to GPG, so we're going to double click

it, click on upload and and the interceptor in here.

We're going to change the file name.

So we're keeping the content type the way it is.

And we're going to change the file name to Shell Dot.

And this time we're going to call it Shell three.

So this is exactly what we did in the previous lecture with the medium security.

Obviously with this example, I'm assuming this is a new website, so we don't really know.

So we're trying this trick.

We're going to click on forward.

And as you can see, we're going to get an error saying our image was not uploaded, meaning that the

code that this Web application is using at the server side is able to detect that this file is still

a file that could be harmful and it should not be allowed.

So let's go again.

Let's click on our shelter, GPG, and that's click on Upload.

And now that we have the request in here, let's analyze it again and just have a look on it and see

what we can do or to hopefully bypass whatever checks that the Web application has so we can see that

the file name is set to share the jpg.

And we know if we keep it the way it is, it will actually be uploaded because normal images that have

this extension can be uploaded.

We also know keeping the content type as image jpeg is fine.

It does not break our shell.

Therefore, we could assume we still don't know.

We're just making an educated guess and we're assuming that whatever code they have at the back end,

it's checking if the file ends with a valid image extension, such as dot jpg.

Therefore, we could try to rename this file to Shell three dot p p dot jpg.

Now again, this will not work on all servers.

There is a trial and error to this and there is always trial and error when it comes to hacking and

specifically Web application hacking.

So this would be just one try that you should do.

If this doesn't work, you can simply try to keep Excel through the jpg and then add the BHP this way

and this example, you'd be able to bypass the check if the check was checking.

The file name is followed by an image extension and therefore by adding the B here, you will be able

to bypass the check while maintaining the file type speech.

Now I tried this and it didn't work.

That's why I'm sticking with the first one, which is Shell three, that P P dot and jpg.

So the main idea that I'm showing you in here, not this only one trick.

The main idea is to play around with the filename and with the content type.

You're going to have to do a lot of trial and error until you actually managed to get it.

I will include a cheat sheet in the resources of this lecture that you can see a lot of other similar

examples.

I don't want to waste a lot of lectures showing the different ways you could rename a file and still

get it to execute because we're simply going to just be changing the file name using the exact same

method, using proxy.

You're simply just going to have to upload the file, play around with the name and the content type

until you get it to upload.

And maybe after spending 20 or 30 minutes, you'll realize that this file upload functionality is not

vulnerable and you move to the next vulnerability.

This takes a lot of patience and takes a lot of work.

So anyway, we're going to go with this.

Rename the file to Shell three, DOT the GPG.

We're keeping the content type as is.

And this, like I said, will bypass the check if the check is simply checking if the file ends with

a valid extension, such as the jpg.

So we're going to click on Forward and Perfect.

As you can see now, it's telling us that the file got uploaded, but this is not the end of the road

because sometimes renaming a file like this would stop it from working as a file dependent on how the

server is configured.

So that's why I said there is always trial and error.

So let's go ahead to our terminal and try to communicate with this file.

So I'm going to exit out of this.

We're going to clear the screen, we're going to use the same command as before because link is the

same.

The only difference is the file type.

It's going to be Shell three, dot, BHP, Dot J, PJI.

We're going to hit enter and perfect.

We're inside.

We will if we do ID, we're going to get the ID.

And right now we managed to connect to our HP Shell and have remote control over the target web server.

As I mentioned before, I will cover how to use levelly in the post exploitation section later on and

I'll show you how you can use it to pretty much control the server, access the database and do all

of that.

But for now, we managed to gain control over that server by uploading a file and we managed to bypass

their high security by simply manipulating the upload request and changing the file name.

And like I said, you should experiment with different tricks and different ways of naming your file

while uploading it.

And I will include a cheat sheet in the resources.

So you have a number of useful examples that you can use to bypass such checks.



Complete and Continue  

Become a Member and Get Unlimited Access to 300+ Top Cyber Security Courses.