Exploiting file upload vulnerability

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

I did my job very quickly after found a File Uploading Vulnerability in a website. I was pentesting a network remotely (Blackbox testing) and it was really hard. I often browsed their website. Even I did not able to ping their IP because it was firewall . My only rest thing to be done was Social Engineering and Web pentesting (Really i was confused!!! If the SE and Web hacking method does not work then perhaps my heart about to attacked !!! lol(my heart is not weak)). Anyway, I scanned the site with various vulnerability scanner ,,,, no luck!!! So I started browsing the site manually(and Google searching randomly, Truthfully dunno what to find).

Suddenly I found a personal file upload link which was hell to find the link but my google friend helped me much. The link was like : www.hired-me.org/test/personal/re_al/file2010.php . It just accept 3 types of file extension JPEG, TEXT,CSV. First time i did not think that this link has any vulnerability(Already confused for the fucking scanner!!!).

How i exploited:

First i upload a jpeg file and try to find the location where it is saved. It was also hard(My knowledge is sucks?). OK, At least i found the jpeg file is located in the www.hired-me.com/index/hidden/director/test.jpeg  , Everything Okay. Now i quickly create a php file[test.php] :

<?php
echo “This is test”
?>

I quickly try to upload the “test.php” and “test.jpeg.php” but error “Unknown File Extension” . This error make me sure that the file extension is filtered.

Again i renamed the “test.php” to “test.php.jpeg” . Now no error!!! wow!!
I quickly check www.hired-me.com/index/hidden/director/test.php.jpeg and the page display “This is test“. Now i decide to upload a real php backdoor. Then upload some rooting tools then created ssh and then compromised two additional machine. Job is done!!!  

Feedback are welcome!!!

    

5 Replies to “Exploiting file upload vulnerability”

  1. For rooting you actually need to gather information such root, users , application etc. There are many Linux Applications has Buffer overflow vulnerability. Such there may be an application running as root but has buffer overflow vulnerability. So if you can exploit that vulnerability then of course you will have root.

    But most of time peoples get with Kernel vulnerability. Check their Kernel version and Google,exploit-db, packetstormsecurity etc.

  2. If you have access to a vulnerable file upload you are able to start to maintain access with a simple php backdoor such as r57/c99 weevely etc etc, google them 😉

Leave a Reply

Your email address will not be published. Required fields are marked *