Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: File upload bypassing techniques in web applications to upload shells Share/Save - My123World.Com!

  1. #1
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2

    File upload bypassing techniques in web applications to upload shells

    3 tricks for uploading a .php shell file where there is some type of filtering against uploading .php scripts -->

    1. Rename xyz.php to xyz.php.txt and upload and then run on browser as /path/xyz.php%00.txt

    2. Rename as .php3 will bypass a simple filter on .php. The file will be executed as php.

    3. Rename as .php.test which will bypass a simple filter on .php and Apache will still use .php as extension; since this configuration it doesn't have handler for .test
    In the world of 0s and 1s, are you a zero or The One !

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    1. Rename xyz.php to xyz.php.txt and upload and then run on browser as /path/xyz.php%00.txt
    I dont think this will work, have u tested this ?? apache I dont think coud be fooled with %00. ANy way try it out .
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    Quote Originally Posted by fb1h2s View Post
    I dont think this will work, have u tested this ?? apache I dont think coud be fooled with %00. ANy way try it out .
    I've seen it working couple of years ago.
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN[*] Invest yourself in everything you do, there's fun in being serious

  4. #4
    Super Commando Dhruv abhaythehero's Avatar
    Join Date
    Sep 2010
    Location
    Lucknow/Pune,India
    Posts
    466
    Blog Entries
    2
    Quote Originally Posted by fb1h2s View Post
    I dont think this will work, have u tested this ?? apache I dont think coud be fooled with %00. ANy way try it out .
    Never tried this. But I think it can work sometimes.Read this a couple of places too.

    I guess however that if that exists, then some part of the server side code is reading the file uploaded line by line. To be specific the Null Poison vulnerability existed because of difference in execution of Server side languages and their underlying C libraries. (http://insecure.org/news/P55-07.txt). So not apache, but server side scripting like PHP,Perl,ASP etc is the culprit. Maybe newer versions of PHP,Perl,ASP have patched it .. but I don't know how.

    Anyhow, I was googling for more upload restrictions bypass techniques. (It is amazing how this lovely google works ...)

    Got some amazing techniques for ASP and other server side scripting from this paper(http://www.exploit-db.com/wp-content...docs/12758.pdf) by Soroush Dalili (Dude did someone told you that you rock \m/ ?)

    Also try this IIS 5.x/6.x exploit in case you see ASP on these IIS versions Microsoft IIS ASP Multiple Extensions Security Bypass 5.x/6.x. Also there are other exploits for various CMSs upload bypass. (Somehow it never occurred to me to check exploit-db when doing Application testing for file upload And yes you should watch requests by using local proxy too).

    2 more fun reads regarding this >>
    ASP SHELL BYPASS SingularityX
    Bypass Upload Size Limits


    Moving this thread now to Web Application Penetration Test ...
    Last edited by abhaythehero; 10-03-2012 at 05:31 PM.
    In the world of 0s and 1s, are you a zero or The One !

  5. #5
    great tips man...

    some site not allowing us to upload php..

  6. #6
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2
    Also we can change the "Content-Type" to image/jpg or image/png etc while POSTing the data, if MIME Content-Type based filtering for image files is employed
    Last edited by prakhar; 01-08-2013 at 02:55 PM.
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  7. #7
    Using edjpgcom tool
    you can Inject tiny shell at pic
    modify it while uploading using tamperdata or what ever u use to xx.php instead of xx.jpg
    this will save jpg header , dimensions and will bypass many mime checkers

  8. #8
    This link Bypassing File Upload Restrictions Penetration Testing Lab has some awesome tips. Please check out.
    Last edited by klausmmia; 02-07-2013 at 12:43 PM.

    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  9. #9
    Web Security Consultant amolnaik4's Avatar
    Join Date
    Jul 2011
    Location
    webr00t
    Posts
    277
    Blog Entries
    4
    Here is the HackPra presentations which talks about some file upload techniques:

    File in the hole!

    AMol NAik

  10. #10
    many sites rename the image(shell script) file we upload


    is there a way to bypass that ?


    ----------------------------
    many a times i was able to upload a shell script in website,but it was renamed and saved as .jpg file

    i also tried to rename the shell from "image.jpg" to "image.php" with tamper data
    but it gets renamed something like "cdg34efgf.jpg"
    so i am not able to execute it.


    anyone has any solutions ?

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •