[вопрос] arbitrary file upload

[b3g3m0t]

камрады, есть админпанелька, в которой пытаюсь залить пхп шелл под видом картинки (неожиданно, да )))
подскажите, как можно обойти фильтры, если за это дело отвечает вот такой вот скрипт

Спойлер

<script>
        var ext_img=new Array('jpg','jpeg','png','gif','bmp','tiff','svg');
        var allowed_ext=new Array('jpg','jpeg','png','gif','bmp','tiff','svg','doc','docx','rtf','pdf','xls','xlsx','txt','csv','html','xhtml','psd','sql','log','fla','xml','ade','adp','mdb','accdb','ppt','pptx','odt','ots','ott','odb','odg','otp','otg','odf','ods','odp','css','ai','kmz','zip','rar','gz','tar','iso','dmg','mov','mpeg','m4v','mp4','avi','mpg','wma','flv','webm','mp3','mpga','m4a','ac3','aiff','mid','ogg','wav');
        var image_editor=true;
        //dropzone config
        Dropzone.options.rfmDropzone = {
            dictInvalidFileType: "File extension is not allowed.",
            dictFileTooBig: "The uploaded file exceeds the max size allowed.",
            dictDefaultMessage: "Drop file here to upload",
            dictResponseError: "SERVER ERROR",
            paramName: "file", // The name that will be used to transfer the file
            maxFilesize: 10, // MB
            url: "upload.php",
                        init: function() {
                this.on("success", function(file,res) {
                    file.previewElement.addEventListener("click", function() {
                        apply(res,'');
                    });
                });
            },
                        accept: function(file, done) {
                var extension=file.name.split('.').pop();
                extension=extension.toLowerCase();
                if ($.inArray(extension, allowed_ext) > -1) {
                    done();
                }
                else {
                    done("File extension is not allowed.");
                }
            }
        };

....
....
....
</script>

не дает залить ни siski.php.jpg, не принимает подмену Content-Type, GIF89a в первой строке файла тоже не алё, не принимает старые .pht и новые php8, toLowerCase() исправляет PhP и т.д.
пробовал залить .htaccess, файл загружается но исправляется на "file.txt" т.к. файл без имени изначально и толку ноль опять...
куда копать, где собаки зарыты?

 

[luminous]

[ Не реклама ]

https://forum.antichat.com/threads/307894/

 

[fsocietyy]

https://book.hacktricks.xyz/pentesting-web/file-upload

GitHub - PortSwigger/upload-scanner: HTTP file upload scanner for Burp Proxy

HTTP file upload scanner for Burp Proxy. Contribute to PortSwigger/upload-scanner development by creating an account on GitHub.

github.com

 

[XINERVA]

Its javascript code, so this is client side protection. You can use burp suite to bypass client side protection also can disable javascript codes.

 

[b3g3m0t]

Its javascript code, so this is client side protection. You can use burp suite to bypass client side protection also can disable javascript codes.

No. I think that the request is handled on the server side too, on both sides . First I tried of course to edit requests to the server via Burp and delete this script from server response... nothing works as expected

 

[XINERVA]

No. I think that the request is handled on the server side too, on both sides . First I tried of course to edit requests to the server via Burp and delete this script from server response... nothing works as expected

I understood. You can check this link for bypassing :

https://book.hacktricks.xyz/pentesting-web/file-upload

 

[b3g3m0t]

I understood. You can check this link for bypassing :

https://book.hacktricks.xyz/pentesting-web/file-upload

I know this link

and this good checklist too

Malicious File Upload Checklist | Notion

Checklist

aacle.notion.site

I'm lookin for more graceful solutions like this

If you can upload .zip file on target then:
1. create a .php file (rce.php)
2. compress it to a .zip file (file.zip)
3. upload your .zip file on target
4. trigger your rce via https://your_target_site.com/index.php&page=zip://path?file.zip#rce.php)

or like this

"...I started testing that file upload feature so I tried to upload .php extension file but that was rejected. So after digging a little bit I found out that there was “WhiteListing” of the files. So only file extension which is allowed is being uploaded. Basically, it was only verifying the last extension of that file. So what I did was open Burpsuite, capture the request and change the file extension but I failed. So after some time, I found out that it was double-checking the file extension(Client Side and Server Side).
After I found out that I first uploaded an image file then capture it with burp suite and change its content to PHP code then forward the request while uploading it. Now here comes the main part, Even I have uploaded the file, I haven’t published it yet so before clicking the publish button I turn on burp suite again and change the extension of that file to .PHP, and BOOM! It got Uploaded
..."

 

[xiaolongbao]

Пробовали ли вы играть с магическими байтами?

 

[b3g3m0t]

Пробовали ли вы играть с магическими байтами?

sure, that's basics

 

[PlatinumGoose]

sure, that's basics

А можно чуть больше инфы, спрашиваю для знакомого )))

 

[b3g3m0t]

А можно чуть больше инфы, спрашиваю для знакомого )))

пробегись по ссылкам выше, там хорошие подсказки по данной теме