Skills Assessment

Try to exploit the upload form to read the flag found at the root directory "/".

I can see into the main web a section with name /contact/, in it i can upload a image(screenshot), but i can see into his source code a whitlist -->

Intercept this peticion with burpsuite -->

XEE

Try to change the extension name with .svg -IT WORK!- Then i need to test the Content-Type of xml - svg

cat /usr/share/seclists/Discovery/Web-Content/web-all-content-types.txt | grep svg

image/svg+xml
application/vnd.oipf.dae.svg+xml

Into the code, inset xml malicious code -->

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>

With it, can use another malicious codes for view for example the index.php of this web -->

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>

We can see the content of index.php base64 endoce, with it, we can enumerate anothers endpoint into the web, for example upload.php

Decode base64 it

Allright!! With it we can see, the route of save the files/imgs is /user_feedback_submissions/, maybe: contact/user_feedback_submissions/ with it, too can see the rename of the images save;

$fileName = date('ymd') . '_' . basename($_FILES["uploadFile"]["name"]);code

date(ymd) _ name of upload file

With it, i can test with a simple upload if i can see the picture -->

WebShell Upload

First again, delete de front restriccions -->

Then, with the burp active, intercept the peticon of upload a image and send to Repeater:

We can upload a simple webshell code, but... we need test all casuistics of the content-type, magics numbers and extensions.

First, we modify the extension to see which can send -->

ws.phar.jpg - doble extension nice! We can use the intruder

Second, we need imput malius code, for examen a web shell and try to upload. The safest, we can see a normal webshell and need alterate the content-type and mime type -->

With it, we can see that the content type correct is jpg o jpeg and the Magic Numbers is the yoya of the jpg iamges

To finaly, we can see the content upload and base64 encoded. And with the another vulnerability XXE, we can view the addres to safe the images: contact/user_feedback_submissions/date(ymd) _ name of upload file -->

PreviousOther Upload Attacks NextServer-side Attacks

Last updated 18 days ago