diff --git a/.gitbook/assets/image (157) (2).png b/.gitbook/assets/image (157) (2).png new file mode 100644 index 000000000..d7e1399e2 Binary files /dev/null and b/.gitbook/assets/image (157) (2).png differ diff --git a/.gitbook/assets/image (157).png b/.gitbook/assets/image (157).png index d7e1399e2..172bd79f0 100644 Binary files a/.gitbook/assets/image (157).png and b/.gitbook/assets/image (157).png differ diff --git a/.gitbook/assets/image (159) (2).png b/.gitbook/assets/image (159) (2).png new file mode 100644 index 000000000..7b717c47a Binary files /dev/null and b/.gitbook/assets/image (159) (2).png differ diff --git a/.gitbook/assets/image (159).png b/.gitbook/assets/image (159).png index 7b717c47a..00aab40be 100644 Binary files a/.gitbook/assets/image (159).png and b/.gitbook/assets/image (159).png differ diff --git a/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md b/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md index eed681109..10588275f 100644 --- a/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md +++ b/network-services-pentesting/pentesting-web/php-tricks-esp/php-rce-abusing-object-creation-new-usd_get-a-usd_get-b.md @@ -121,7 +121,28 @@ In PHP ≤ 5.3.22 and ≤ 5.4.12, the constructor of SoapClient was **vulnerable Checking the **dependencies** of the **project** you are trying to exploit you could find **new classes** that could be **abused to execute commands** creating a new object. In this case, **Imagick** was found to be useful for that purpose. +### VID parser +The VID parser allows to write arbitrary content in an arbitrary path inside the filesystem, which would allow an attacker to write a PHPshell in an accessible folder from the web page and get RCE. + +![](<../../../.gitbook/assets/image (157).png>) + +#### VID Parser + FIle Upload + +When a file is uploaded to PHP it's temporary stored in `/tmp/phpXXXXXX` . The VID parser of Imagick with the **msl** protocol allows to **specify wildcards in the file paths** (so the temporary uploaded file can be easily accessed) and **copy it to any arbitrary location**.\ +This is another way to get arbitrary file writing inside the filesystem: + +![](<../../../.gitbook/assets/image (159).png>) + +### PHP Crash + Brute Force + +The [**original writeup**](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/) explained another way to get RCE by **uploading files with specific content** and making the **server crash before it deletes** that file and then **bruteforcing the name** of the temporary file until **Imagick executes arbitrary PHP code**. + +However, apparently the **crash trick** discovered only **worked in an old version of ImageMagick**. + +## References + +* [https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/](https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/)
diff --git a/pentesting-web/cache-deception.md b/pentesting-web/cache-deception.md index 064a7a253..f79290b24 100644 --- a/pentesting-web/cache-deception.md +++ b/pentesting-web/cache-deception.md @@ -143,7 +143,7 @@ GitLab uses GCP buckets to store static content. **GCP Buckets** support the **h Ruby on Rails applications are often deployed alongside the Rack middleware. The Rack code below takes the value of the **`x-forwarded-scheme` value and uses it as the scheme of the request**. -![](<../.gitbook/assets/image (159).png>) +![](<../.gitbook/assets/image (159) (2).png>) Sending the `x-forwarded-scheme: http` header would result into a 301 redirect to the same location which will cause a DoS over that resource as in this example: @@ -151,7 +151,7 @@ Sending the `x-forwarded-scheme: http` header would result into a 301 redirect t The application might also support the header `X-forwarded-host` and redirect the user to that host, making possible to load javascripts files from the attacker server: -![](<../.gitbook/assets/image (157).png>) +![](<../.gitbook/assets/image (157) (2).png>) ### 403 and Storage Buckets