Exploiting an Arbitrary File Upload Vulnerability [Pics/Video]

Exploiting An Arbitrary File Upload Vulnerability

An arbitrary file upload vulnerability, is a vulnerability that can be exploited by malicious users to comprimise a system. In this case, it's incorrectly validating the file extension on any uploaded file. Well....that pretty much speaks for itself. If used correctly, it can lead to shelling, executing remote code..all that good stuff.

First off, since I've been getting tons of PMs about the FireFox Add on and Theme I'm using, I'd figure I should just link them here.

FTDeepDark Theme
HackBar

Requirements
Now for this tutorial, you're going to need FireFox, and an add on called Tamper Data.

You can download it here

Once you got it installed, restart FireFox and you can get started.


Finding Vulnerabilities

Now what you're going to want to do is find a vulnerable upload form. How do you find these? A pretty common method known around here, using google dorks.

Here's the example I'll be using in this tutorial.

Code:
inurl:/upload.php intext:Image Upload

Now you can create your own, find your own, and use your own dorks.

Once you've found your site, you should be at an upload form.
It should look something like this.

Testing The Upload Form
Now try and upload your shell in regular format, to see if you'll need to continue.

Code:
Unrecognized image type

Now try and upload it in image format.

Modifying The POST Content
It worked, now we're going to go back, re upload, and modify the POST content.
Go back to your upload form, select your shell in image format, and go to Tools > Options > Tamper Data.

It should look something like this..

Now click start tamper, and upload your file.
A popup will come up and ask you if you want to continue tampering. If it's sending information about the upload form, click continue tampering and click tamper.


Now a whole new form should come up, it looks like this.

Everything on the right is where we change our file extension. That is the POST data.

Now find your filename and remove your nullbyte and spoofed extension. Here's an example of what it should be changed to.

Code:
WSO.php.jpg

Code:
WSO.php


Now click OK, and your file should upload. Now all you have to do is find your shell, sometimes you can right click it (if it's a broken image), other times it'll be in the page source. This will work with several different upload forms, inside administrator panels, and other things as well. Hope you guys understand, good luck and happy hacking. Shoutout to Zer0Lulz!

Resources

Test Site - This site will get raped by everyone anyways....
Shell Pack (Image Format) || Virus Scan
Tamper Data

Video

Sorry, I had to re-do the video around 5 times, and it got annoying, so I skipped the text in notepad and just showed you what happens in action. It's here if you want to read it. My Camtasia studio ran out too, that explains the quality.





Code:
Today I'm gonna be showing you how to get your shell uploaded via exploting an arbitrary file upload vulnerability. Once you found your vulnerable form, try uploading your shell in PHP format..

"Unrecognized image type".

As you can see, it filters PHP image uploads. That doesn't mean we cant shell it though :3

Now we want to try and upload it in it's image format.
No error this time, it worked fine! Of course the shell won't work like this, but we're only 1 step away.

Go back to your upload form, and go to tools > options > tamper data.

Now select your shell in image format again. Now start tamper, and upload your shell.

this is where we change our file extension, in the POST_DATA field.
Remove your nullbyte and file extension, and leave .php on there.

Click OK, and let it do it's work.

Uploaded our shell, just like that. Lets check if it worked...
Woot!

If you liked the video, comment/rate/sub!
Peace.

[Image: downfallsignature.png]