Hi, I am stuck several days on this one. Hope some one can help and give me the correct direction.
I have bypassed the client-side validation, and then I used
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
for ext in 'php' '.php2' '.php3' '.php4' '.php5' '.php6' '.php7' '.phps' '.phps' '.pht' '.phtm' '.phtml' '.pgif' '.shtml' '.htaccess' '.phar' '.inc'; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
# also I added jpeg, png.
done
done
to create a wordlist. I can see some files are uploaded successfully, but when I tried to http get them one by one, they either say cant’ find this file or don’t have permission. Not sure what’s wrong with this.
i got lot of success response like “1.php\x00.png”,“1.php/.jpg”, but i can’t access it. what should i do? (seems its the same situation with urs). (Thx a lot for replying
Yep, it is very close. I wrote a script and used curl to request http get request on all the files + arg (?cmd=id) that I uploaded. The correct ones will have code execution.
Hello Folks, I’m super stuck on this, I am in the same spot that OP is talking about. The issue is that when I upload a .phps file it gets created on the server as I receive a 403 response when curling it meaning it must be there I just can’t access it. However I have tried every file extension I can think of and all of them return a 404 meaning I think I am getting stopped by the blacklist.
I also have a script curling the file extensions looking for a 200 response.
As a clarification I was able to solve this question using character injection in one attempt and reverse double extension in another attempt. Read over the lesson material on these attack methods. My extra advice would be write a script that reads in the filenames you have generated and then makes a request to the target system and check to see if any of the files in the list exist.
Make sure to assess the target system and get an idea of the non-image file types it will accept first.
i think I need an another nudge in the right direction. I tried to use the hints from this Thread, but the only thing I get is a 403 for one file extension and 404 for other extensions…obviously I’m doing something wrong somewhere…:/…maybe i should go to bed…
i just solved it with " Double Extensions".but im trying to solve it with “Reverse Double Extensions”:
%20
%0a
%00
%0d0a
/
.\
.
…
:
by using these charatcers in filename like filename=“shell.php%00.jpg” im getting file upload sucessfull but im getting 404 error.In the above file name i replaced “php” with several php formats.can please tell me if a upload a use special characters in filename then with which name they are saved in the web server
It took me several hours, but I solved it. I solved the question using the “Character Injection” technique. I used the script provided by HTB Academy, but it didn’t work. I modified the script by adding the ‘.phar’ ‘.phtml’ extensions:
After that I used Burp Suite (Intruder) with the list generated by the script and without checking the “URL Enconde” option. I did a “Grep Match” and “Grep Extract” with the message “Extension not allowed” to better identify which payloads are working and which are not.
