Exploiting An Arbitrary File Upload Vulnerability
An arbitrary file upload vulnerability, is a vulnerability that can be exploited by malicious users to comprimise a system. In this case, it's incorrectly validating the file extension on any uploaded file. Well....that pretty much speaks for itself. If used correctly, it can lead to shelling, executing remote code..all that good stuff.
First off, since I've been getting tons of PMs about the FireFox Add on and Theme I'm using, I'd figure I should just link them here.
FTDeepDark Theme
HackBar
Requirements
Now for this tutorial, you're going to need FireFox, and an add on called Tamper Data.
You can download it here
Once you got it installed, restart FireFox and you can get started.
Finding Vulnerabilities
Now what you're going to want to do is find a vulnerable upload form. How do you find these? A pretty common method known around here, using google dorks.
Here's the example I'll be using in this tutorial.
inurl:/upload.php intext:Image UploadNow you can create your own, find your own, and use your own dorks.
Once you've found your site, you should be at an upload form.
It should look something like this.
![[Image: 9EgEy.jpg]](http://i.imgur.com/9EgEy.jpg)
Testing The Upload Form
Now try and upload your shell in regular format, to see if you'll need to continue.
![[Image: pRzfj.jpg]](http://i.imgur.com/pRzfj.jpg)
Unrecognized image typeNow try and upload it in image format.
![[Image: VjMqi.jpg]](http://i.imgur.com/VjMqi.jpg)
![[Image: 7fHXY.jpg]](http://i.imgur.com/7fHXY.jpg)
Modifying The POST Content
It worked, now we're going to go back, re upload, and modify the POST content.
Go back to your upload form, select your shell in image format, and go to Tools > Options > Tamper Data.
It should look something like this..
![[Image: g78Kq.jpg]](http://i.imgur.com/g78Kq.jpg)
Now click start tamper, and upload your file.
A popup will come up and ask you if you want to continue tampering. If it's sending information about the upload form, click continue tampering and click tamper.
![[Image: mMgPI.jpg]](http://i.imgur.com/mMgPI.jpg)
Now a whole new form should come up, it looks like this.
![[Image: P2tI4.jpg]](http://i.imgur.com/P2tI4.jpg)
Everything on the right is where we change our file extension. That is the POST data.
Now find your filename and remove your nullbyte and spoofed extension. Here's an example of what it should be changed to.
WSO.php.jpgWSO.php![[Image: stZsf.jpg]](http://i.imgur.com/stZsf.jpg)
![[Image: u30H5.jpg]](http://i.imgur.com/u30H5.jpg)
Now click OK, and your file should upload. Now all you have to do is find your shell, sometimes you can right click it (if it's a broken image), other times it'll be in the page source. This will work with several different upload forms, inside administrator panels, and other things as well. Hope you guys understand, good luck and happy hacking. Shoutout to Zer0Lulz!
Resources
Test Site - This site will get raped by everyone anyways....
Shell Pack (Image Format) || Virus Scan
Tamper Data - See more at: http://voice0fblackhat.blogspot.com/2012/01/exploiting-arbitrary-file-upload.html#sthash.4IsGYGG1.dpuf
0 comments:
Post a Comment