Web Shell Upload via Content-Type Restriction Bypass
HTML-код
- Опубликовано: 31 июл 2024
- 👩🎓👨🎓 Learn about File Upload vulnerabilities. This lab attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this. To solve the lab, we'll upload a basic PHP web shell and use it to exfiltrate the contents of a "secret" file.
Overview:
0:00 Intro
0:18 Background: File upload vulnerabilities
4:59 Background: Flawed file type validation
6:37 Challenge info
7:22 Attempt PHP webshell upload
8:20 Content-type restriction bypass
9:30 Remediations
10:46 Conclusion
For more information, check out blog.intigriti.com/hackademy/...
🔗 Portswigger challenge: portswigger.net/web-security/...
🧑💻 Sign up and start hacking right now - go.intigriti.com/register
👾 Join our Discord - go.intigriti.com/discord
🎙️ This show is hosted by / _cryptocat ( @_CryptoCat ) & / intigriti
👕 Do you want some Intigriti Swag? Check out swag.intigriti.com
I agree with all defense mechanisms you mentioned, except the last one. Randomizing the location of the file is useful in case you won't display the file, but in the case of profile pictures, you usually want to use a link to the picture, because the user needs to see the picture, thus accessing it. The only way to protect there is to not have that file uploaded in the first place 🤓
Great point! That particular technique will be ineffective for such use cases 😁 It's rare to find features that don't rule out (or impede) one security measure or another though. Just apply as many as you possibly can, for the defence-in-depth 🧱
Thanks for the wonderful video 😍
Thanks for the wonderful feedback! 🥰
amazing!
Thank you! 💜
Sir, the php file doesn't work for me. I think there's some problem with executing the php file on my laptop. In fact I can't even able to open the php file on my laptop. So, what can I do in this case?
Hmmm the php file should execute on the remote server, rather than your laptop.. Double check the official portswigger solution to see if the steps are clearer 😉
I am testing a friend's website, on which i am able to upload a jpg file with PHP contents in them. However the website automatically changes the name of the file to my profile name. For example: profile.jpg. When i do a get request i can see the PHP content in the jpg file, but it appears to be in plain text. Does that mean it is not vulnerable?
If the file extension is not .php, then the server won't interpret it as a PHP file. Maybe you can try some tricks like "file.jpg.php", "file.php%00.jpg", "file.pHp" etc. Also, bare in mind the server itself will need to be able to execute PHP, no good uploading a .php file to an ASP.net site, for example.
@@intigriti The restriction seems to be on the content-type, it doesn't really do anything with the filename, but i'll try what you've said. Thanks for the quick reply!
Sir how to create that shell.php file what should be inside it
Something like this would be good:
Then, you can execute commands with portswigger-lab-url.com/shell.php?cmd=whoami
Uploading .htaccess won't work if the file name will be changed once it's been uploaded?
I can't see how it could work 🤔
@@intigriti Alright. Thanks for your answer. Was thinking if there are some ways to do it.
first and hello crypto 😁
hello there! 💜
How to solve it without a burp suite?
You could just use the devtools in Firefox / Chrome (edit/resend the request and modify headers). If you want to practice some coding, why not write a script in your language of choice to accomplish the same (normally python for me) 🙂
I Really liked your videos sir. I am new to these field , Please suggest me how to start bug bounty , give me some road map
Thank you! It really depends on your prior knowledge/experience. If you are totally new to hacking, I'd recommend getting stuck into these resources: github.com/Crypto-Cat/CTF#hacking-resources
The most valuable for bug bounty is probably the portswigger WebSecAcademy but platforms like HackTheBox and TryHackMe are great as well. Check out the regular CTF events on CTFTime as well!
If you are already quite competent, you can just jump onto programs on your favourite BB platform (hopefully intigriti) and start looking for bugs! Make sure to read plenty of bug reports in the meantime, e.g. pentesterland and hackerone disclosed reports. Check out BB creators like BBRE (gregxsunday), NahamSec, InsiderPhd etc, they make great videos.
Note, these aren't exclusive - you can spend some time on BB getting hands on practical experience, while spending the rest of your time on education. Good luck! 💜
You are good but, you move too fast and you do not explain how you created the web shell. The system does not work, and we are stuck on the webshell..please dont assume we know....try to explain step by step showing all areas
Hey, thanks! For the webshell, just create a file called "something.php" containing the PHP code you see at 7:35, simple as that 😉 You can also generate reverse shells for various languages from revshells.com
Hi there, I'm also stuck there I got it and created a php file and wrote this on it but It doesn't save this and keeps saying it might include virus or unwanted software. What was the "$" for did you specialized that sign for some command on cmd?
Thanks in advance for reply