Hello, I was attempting a file upload vulnerability with a php web shell masquerading as a PDF. Fairly straight forward, however I remembered the strict WAF. I took notes of payloads that would trigger the WAF and decided I only needed simple encoding to bypass it. I don't code in PHP although I have in the past so I thought a python wrapper would work for me. The code generates a payload along with handling the shell output. The python code will double encode the command with base64 before sending and the web shell will return the command output in base64. The python code handles encoding/decoding along with writing the output to a file. As this is a web shell It can be accessed with TOR.
This gave me a shell running as the user NT Authority/ System. I had a lot of fun getting in to this computer because it was accomplished with no special tools other than ones I made. This was one of four vulnerabilities used gain this access.
Hopefully google translate works:
Hi, I was trying to exploit a file upload vulnerability using a PHP web wrapper masquerading as a PDF file. Pretty straightforward, but I remembered the strict WAF. I wrote down the payload that triggers the WAF and figured I only needed some simple encoding to bypass it. I don't write PHP code, although I have in the past, so I thought a Python wrapper would do the trick. The code generates the payload along with handling the output of the wrapper. The Python code will base64 encode the command twice before sending it, and the web wrapper will return the output of the command in base64. The Python code handles the encoding/decoding along with writing the output to a file. Since it's a web wrapper, it can be accessed using TOR.
This gave me a shell running as the NT Authority/System user. I had a lot of fun working with this computer because it was made without any special tools other than the ones I made. Four vulnerabilities were exploited to do this.
This gave me a shell running as the user NT Authority/ System. I had a lot of fun getting in to this computer because it was accomplished with no special tools other than ones I made. This was one of four vulnerabilities used gain this access.
Hopefully google translate works:
Hi, I was trying to exploit a file upload vulnerability using a PHP web wrapper masquerading as a PDF file. Pretty straightforward, but I remembered the strict WAF. I wrote down the payload that triggers the WAF and figured I only needed some simple encoding to bypass it. I don't write PHP code, although I have in the past, so I thought a Python wrapper would do the trick. The code generates the payload along with handling the output of the wrapper. The Python code will base64 encode the command twice before sending it, and the web wrapper will return the output of the command in base64. The Python code handles the encoding/decoding along with writing the output to a file. Since it's a web wrapper, it can be accessed using TOR.
This gave me a shell running as the NT Authority/System user. I had a lot of fun working with this computer because it was made without any special tools other than the ones I made. Four vulnerabilities were exploited to do this.
Вложения
Последнее редактирование:
