Sunday, 3 March 2013

Exploiting An Arbitrary File Upload Vulnerability

08:49    No comments

Exploiting An Arbitrary File Upload Vulnerability

An arbitrary file upload vulnerability, is a vulnerability that can be exploited by malicious users to comprimise a system. In this case, it's incorrectly validating the file extension on any uploaded file. Well....that pretty much speaks for itself. If used correctly, it can lead to shelling, executing remote code..all that good stuff.

First off, since I've been getting tons of PMs about the FireFox Add on and Theme I'm using, I'd figure I should just link them here.

FTDeepDark Theme
HackBar

Requirements
Now for this tutorial, you're going to need FireFox, and an add on called Tamper Data.

You can download it here

Once you got it installed, restart FireFox and you can get started.


Finding Vulnerabilities
Now what you're going to want to do is find a vulnerable upload form. How do you find these? A pretty common method known around here, using google dorks.

Here's the example I'll be using in this tutorial.

Code:
inurl:/upload.php intext:Image Upload

Now you can create your own, find your own, and use your own dorks.

Once you've found your site, you should be at an upload form.
It should look something like this.
Spoiler (Click to Hide)
[Image: 9EgEy.jpg]

Testing The Upload Form
Now try and upload your shell in regular format, to see if you'll need to continue.

Spoiler (Click to Hide)
[Image: pRzfj.jpg]
Code:
Unrecognized image type

Now try and upload it in image format.
Spoiler (Click to Hide)
[Image: VjMqi.jpg]
Spoiler (Click to Hide)
[Image: 7fHXY.jpg]

Modifying The POST Content
It worked, now we're going to go back, re upload, and modify the POST content.
Go back to your upload form, select your shell in image format, and go to Tools > Options > Tamper Data.

It should look something like this..
Spoiler (Click to Hide)
[Image: g78Kq.jpg]

Now click start tamper, and upload your file.
A popup will come up and ask you if you want to continue tampering. If it's sending information about the upload form, click continue tampering and click tamper.

Spoiler (Click to Hide)
[Image: mMgPI.jpg]

Now a whole new form should come up, it looks like this.
Spoiler (Click to Hide)
[Image: P2tI4.jpg]

Everything on the right is where we change our file extension. That is the POST data.

Now find your filename and remove your nullbyte and spoofed extension. Here's an example of what it should be changed to.

Code:
WSO.php.jpg

Code:
WSO.php

Spoiler (Click to Hide)
[Image: stZsf.jpg]
Spoiler (Click to Hide)
[Image: u30H5.jpg]

Now click OK, and your file should upload. Now all you have to do is find your shell, sometimes you can right click it (if it's a broken image), other times it'll be in the page source. This will work with several different upload forms, inside administrator panels, and other things as well. Hope you guys understand, good luck and happy hacking. Shoutout to Zer0Lulz!

Resources

Test Site - This site will get raped by everyone anyways....
Shell Pack (Image Format) || Virus Scan
Tamper Data - See more at: http://voice0fblackhat.blogspot.com/2012/01/exploiting-arbitrary-file-upload.html#sthash.4IsGYGG1.dpuf

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)