Following the previous post , once you have
successfully exploited an SQLi vulnerability and dumped the database for
a particular website, you will probably want to do more than just log
in to an administrative control panel. It’s no secret, yet somehow many
people simply do not know what to do with a website once they have
compromised the database and gained admin credentials to the control
panel (phpmyadmin, webstore, etc). Today I will tell you how to upload a
web shell through the use of HTTP header manipulation.
Many administrative or user panels allow you to upload
images for use as an avatar or for use in a gallery, etc. Attempting to
upload anything that does not have an image file extension (.jpg, .bmp,
.gif, etc) is typically rejected. This is obviously a problem if you are
interested in uploading your own files or shells, which is where this
guide can prove to be a valuable resource.
Requirements:
(Uploading Web Shells using Live HTTP Headers) Tutorial:
Determine where the image uploading form is storing the uploaded files, typically done by finding a legitimate image uploaded with the form, and right clicking on it to view its properties. For example, say the form uploads images to a folder called ‘images’. You right click your avatar image and determine that the uploading form stores the images in the ‘www.example.com/images/’ folder. This is where your shell will be located. We can access our shell by navigating our browser to www.example.com/images/shell.php.
- Mozilla Firefox
- Live HTTP Headers – Firefox Addon – Will require a browser restart after installation.
- Web Shells (i.e C99, R57, etc.)
(Uploading Web Shells using Live HTTP Headers) Tutorial:
- Login to the compromised site as an admin (using the credentials you dumped from the SQL database), then find a place to upload a file in that particular site. (Typically an image upload form)
- Then rename your shell name to shell.php.jpg (or what ever that site supports. In most cases, the upload form will tell you what filetypes are acceptable. For simplicity in this tutorial, I have renamed it to shell.php.jpg.)
- Start the Live HTTP Headers addon by clicking “Tools” in the firefox menu bar, and selecting Live HTTP Headers from the dropdown list.
- Upload your shell (shell.php.jpg) in the browser using the upload form.
- You should now see something similar to this in Live HTTP Headers:
- In the Live HTTP Headers window, locate and click on the “shell.php.jpg” text.
- Click on the Replay button.
- A new window will open, in that window there will be two boxes.
- In the bottom box, find the name of your shell (shell.php.jpg) and rename it to shell.php and click the Replay button again.
Determine where the image uploading form is storing the uploaded files, typically done by finding a legitimate image uploaded with the form, and right clicking on it to view its properties. For example, say the form uploads images to a folder called ‘images’. You right click your avatar image and determine that the uploading form stores the images in the ‘www.example.com/images/’ folder. This is where your shell will be located. We can access our shell by navigating our browser to www.example.com/images/shell.php.
No comments:
Post a Comment