File Upload Attacks - Whitelist Filters


thx a lot. with your help i solve this…:)…

For those who are still struggling - EZi0’s comment will get you what you need.

Some steps to help you:

  1. Modify the script that HTB academy provides to generate your wordlist.txt file with a few extra extensions (ex. .phar and .phtml)
  2. In burp intruder, send each post request with a PHP payload and the filenames those created by the script.
  3. Curl each endpoint and supply ‘?cmd=id’ to check for successful 200’s

This is the script I like to use to automate commands feeding in a wordlist as a variable. ex. ./ wordlist.txt

#usage: supply your filename wordlist with the execution of this script. It replaces each line with $line 
#./ wordlist.txt

while IFS= read -r line
        echo 'doing' $line':'
        curl -I$line?cmd=id
done < "$input"

Hope that helps

1 Like

If you haven’t solved it from what I can remember you are super close, try more combinations of characters. The file will be uploaded with the extension you try and will be reachable, you just need to find the right one.

1 Like

Was stuck here for a long time trying to get character injection techniques to work and was not successful. I was able to upload files successfully with character injection but attempts to reference them always came back as 404. I thought this was working because phps was giving me no permissions, but I found anything.phps gave the same error so that message wasn’t indicative of anything.

The advice in this thread around expanding the extensions beyond what you use in the scirpt is helpful and then what I noticed is that phar and phtml had a lot more “successes” than php with character injection, even though I didn’t use character injection this sparked the realization that they were treated differently and a more simple approach with those might work.

Wish I had been able to get character injection going, I tried doing teh curl script after the upload script but just got not found on every file link. Also tried just removing the characters since I would think the goal is that these injections save your file as shell.php but that didn’t work either. In the end, still got there though.

1 Like

Qick tipp: the example from " Reverse Double Extension" works fine for this task (but not with .php, try different one) :slight_smile:

1 Like

Also can try this tool: GitHub - almandin/fuxploider: File upload vulnerability scanner and exploitation tool.