Was stuck here for a long time trying to get character injection techniques to work and was not successful. I was able to upload files successfully with character injection but attempts to reference them always came back as 404. I thought this was working because phps was giving me no permissions, but I found anything.phps gave the same error so that message wasn’t indicative of anything.
The advice in this thread around expanding the extensions beyond what you use in the scirpt is helpful and then what I noticed is that phar and phtml had a lot more “successes” than php with character injection, even though I didn’t use character injection this sparked the realization that they were treated differently and a more simple approach with those might work.
Wish I had been able to get character injection going, I tried doing teh curl script after the upload script but just got not found on every file link. Also tried just removing the characters since I would think the goal is that these injections save your file as shell.php but that didn’t work either. In the end, still got there though.
Let me clear up the hint cause it came off a bit confusing.
You can solve it using either
Reverse Double Extension
Character Injection
Reverse Double Extension:
=======================
The easier one to solve.
Create a wordlist where file:
Starts with a php extension ie php
Ends in a picture format ie jpg
Something like shell.php.jpg
=======================
Character Injection
======================
Trickier becase you can get file successful for a lot of results. However when trying to open the url of them you get 404 not found.
I did notice if you open some via the webpage - right click open image in new tab, the url would be different, but no need to go down this rabbit hole as I did and none of them worked either.
All I can do is expand on what “magic” said because they were right.
Ceate a wordlist from the page it gives you and add some extra php extensions only ie php5, pht, phtml etc
After intruder has finished, run the script “magic” provided.
You will eventually get a 200 response. That’s where the shell is.
Otherwise you will be looking at over 300 that were successfully uploaded manually.
This took too many hours for me to complete. The steps I took to complete this task:
Looking at the source code of script.js you need .jpg, .png, or .jpeg at the end of the filename.
Then with the word list creator code in this module run a for loop on the php extensions so you have an output like shell.php.jpg where .php is something else.
Then run this word list through burp intruder with payload encoding off. Then I scrolled through and found which ones successfully uploaded and tried those.
You can also use burp intruder to find which images you can view. Make sure encoding is off and they will return 200 OK. There are two php extensions that work.
Took a loooooooooooong time, but persistence pays off.
As Burch stated, you can see which ext are allowed in the source code: .jpg, .png, or .jpeg at the end of the filename
If you use intruder to add those suffix one at a time with a complete list of your other extensions, try the ones that successfully upload.
Then get your flag and go have a beverage.
well actually this section is a hard one.
all you need to understand it is:
1.The script within the section for fuzzing different extension must include more php extensions which we’re already familiar within the section.
try run a simple php code instead of a photo content so it’ll be easier for you to observe if the code actually executed.
Work in stages when you using burp. TBH i didn’t use any of the scripts for returning http responses using curl. All i used was burp and modifying the script within the section. in order to retrive pages you can use burp intruder also.
after you understood which kind of payloads actually can upload a file minimize your list to include them-it will be faster to observe the results when you requesting each file
Adding my two cents here - it’s far easier to solve this exercise with ffuf than with the commercial version of BurpSuite. The throttling is waisting way too much time. You need 2 ffuf commands, one to upload the files and one to try to retrieve them with the {...}?cmd=id to see which ones return the desired responses.
Use Burp just to get the request and copy it as a curl command, it’s really easy to convert it to ffuf syntax from there. It still ends up looking a little convoluted in the terminal but it’s not too bad and takes seconds to run vs the ~20-30 mins it takes w. Burp.
