File Upload Attacks - Whitelist Filters

Hi, I am stuck several days on this one. Hope some one can help and give me the correct direction.

I have bypassed the client-side validation, and then I used

for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
    for ext in 'php' '.php2' '.php3' '.php4' '.php5' '.php6' '.php7' '.phps' '.phps' '.pht' '.phtm' '.phtml' '.pgif' '.shtml' '.htaccess' '.phar' '.inc'; do
        echo "shell$char$ext.jpg" >> wordlist.txt
        echo "shell$ext$char.jpg" >> wordlist.txt
        echo "shell.jpg$char$ext" >> wordlist.txt
        echo "shell.jpg$ext$char" >> wordlist.txt
        # also I added jpeg, png.
    done
done

to create a wordlist. I can see some files are uploaded successfully, but when I tried to http get them one by one, they either say cant’ find this file or don’t have permission. Not sure what’s wrong with this.

nvm finally I got this.

i am stucked too, could u push me a little:)

where are you stucked?

i got lot of success response like “1.php\x00.png”,“1.php/.jpg”, but i can’t access it. what should i do? (seems its the same situation with urs). (Thx a lot for replying

Yep, it is very close. I wrote a script and used curl to request http get request on all the files + arg (?cmd=id) that I uploaded. The correct ones will have code execution.

thx. got it!

Hello Folks, I’m super stuck on this, I am in the same spot that OP is talking about. The issue is that when I upload a .phps file it gets created on the server as I receive a 403 response when curling it meaning it must be there I just can’t access it. However I have tried every file extension I can think of and all of them return a 404 meaning I think I am getting stopped by the blacklist.

I also have a script curling the file extensions looking for a 200 response.

I really would appreciate some help please.

Solved it, the hint says you can use either of the last two techniques…well I was completely unable to make any progress with the way OP was trying.

EDIT: I got it. It’s easier, much easier, than it seems

Hi, could you be more specific? I can’t figure it out

1 Like

Can you solved this ?

yep

Care to give up some hints how you solved this?

Don’t waste time with strange characters, use the easiest way

As a clarification I was able to solve this question using character injection in one attempt and reverse double extension in another attempt. Read over the lesson material on these attack methods. My extra advice would be write a script that reads in the filenames you have generated and then makes a request to the target system and check to see if any of the files in the list exist.

Make sure to assess the target system and get an idea of the non-image file types it will accept first.

Hi,

i think I need an another nudge in the right direction. I tried to use the hints from this Thread, but the only thing I get is a 403 for one file extension and 404 for other extensions…obviously I’m doing something wrong somewhere…:/…maybe i should go to bed…

i just solved it with " Double Extensions".but im trying to solve it with “Reverse Double Extensions”:

%20
%0a
%00
%0d0a
/
.\
.
…
:

by using these charatcers in filename like filename=“shell.php%00.jpg” im getting file upload sucessfull but im getting 404 error.In the above file name i replaced “php” with several php formats.can please tell me if a upload a use special characters in filename then with which name they are saved in the web server

It took me several hours, but I solved it. I solved the question using the “Character Injection” technique. I used the script provided by HTB Academy, but it didn’t work. I modified the script by adding the ‘.phar’ ‘.phtml’ extensions:

After that I used Burp Suite (Intruder) with the list generated by the script and without checking the “URL Enconde” option. I did a “Grep Match” and “Grep Extract” with the message “Extension not allowed” to better identify which payloads are working and which are not.

I hope it helps someone.

4 Likes

thx for the reply. I’ll try that when I have more time again…:/…

Another task which is a colossal waste of time.

Just focus on double file extensions and go through that list, you’ll come to an answer eventually.

I think the hint is misleading maybe? I interpreted it as the last two techniques (reverse double extensions and character injection)