bradrom
Programmer Extraordinaire
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
500 XP
How to detect this flaw?
The classical method (it can work wesh)
The classic method is to simply try to upload a.php file. _. If it passes, the webmaster is a monkey.
The old way.
The server may only check the extension . php, so we can try to put a file . php2
Double extensions
Just give a double extension to its file if the dev has made the file accepted if it detects . jpeg, or . png
Example: backdoor.php.jpeg
or backdoor.php.png
MIME type
Modify in the HTTP request using tamper data for example, the content-type: application/octet-stream in image/jpeg for example.
Null Byte
We can always try the null byte [%00](which allows to ignore the previous characters) like this: file.php%00.jpeg
Still not?
You can always try to combine the different techniques.
Once found, one can exploit (devil)
The fault
For those who:
-want to show that it is a darkhax0r.
-want to send a message
-just want to because he’s bored? . _.
-And other...
We can default in a few lines of code thanks to an upload vulnerability:
PHP:
$fp=fopen("../../../index.php","w"); //Opens the .. /.. /.. /index.php write file which overwrites the already existing code (w)
fwrite($fp,"ERROR"); //Y writes "ERROR" in the file. To be replaced by a default (with html, js, css code).
The backdoor
The backdoor can be very interesting;).
You can have fun coding your own backdoor. But don’t reinvent the wheel, there are already many of them, here is a list: http://www.r57.gen.tr/
Once the backdoor is installed, there is a way that you can have fun because you can do a lot of things: execute commands, read/ write/ delete files, open port...
15259b1a6d8c4971a890bdcef1be8ae6.png
Conclusion
A flaw not to be overlooked, it can make big hits:S. There must be other ways to find this flaw, unfortunately I do not know.
Go look at how people are protecting themselves from this flaw, and see if there isn’t a way to override this protection.
How do people protect? http://antoine-herault.developpez.com/tutoriels/php/upload/
Thank you for reading, put a like if it taught you a few things I spent a little time writing this tutorial, thank you;).
The classical method (it can work wesh)
The classic method is to simply try to upload a.php file. _. If it passes, the webmaster is a monkey.
The old way.
The server may only check the extension . php, so we can try to put a file . php2
Double extensions
Just give a double extension to its file if the dev has made the file accepted if it detects . jpeg, or . png
Example: backdoor.php.jpeg
or backdoor.php.png
MIME type
Modify in the HTTP request using tamper data for example, the content-type: application/octet-stream in image/jpeg for example.
Null Byte
We can always try the null byte [%00](which allows to ignore the previous characters) like this: file.php%00.jpeg
Still not?
You can always try to combine the different techniques.
Once found, one can exploit (devil)
The fault
For those who:
-want to show that it is a darkhax0r.
-want to send a message
-just want to because he’s bored? . _.
-And other...
We can default in a few lines of code thanks to an upload vulnerability:
PHP:
$fp=fopen("../../../index.php","w"); //Opens the .. /.. /.. /index.php write file which overwrites the already existing code (w)
fwrite($fp,"ERROR"); //Y writes "ERROR" in the file. To be replaced by a default (with html, js, css code).
The backdoor
The backdoor can be very interesting;).
You can have fun coding your own backdoor. But don’t reinvent the wheel, there are already many of them, here is a list: http://www.r57.gen.tr/
Once the backdoor is installed, there is a way that you can have fun because you can do a lot of things: execute commands, read/ write/ delete files, open port...
15259b1a6d8c4971a890bdcef1be8ae6.png
Conclusion
A flaw not to be overlooked, it can make big hits:S. There must be other ways to find this flaw, unfortunately I do not know.
Go look at how people are protecting themselves from this flaw, and see if there isn’t a way to override this protection.
How do people protect? http://antoine-herault.developpez.com/tutoriels/php/upload/
Thank you for reading, put a like if it taught you a few things I spent a little time writing this tutorial, thank you;).