Jump to content
software

Arbitrary file Handling (tut)

By software, in Tutoriale in engleza

Recommended Posts

software Newbie

software

Posted
Posted (edited)

Introduction

Let's start off with the definition. An arbitrary file is any file on a specific server or system. Basically, the arbitrary file is a file that allows you to modify everything on a system. For example, if you got access to a particular website part of a shared server and you manage to root it, the files from the "box" are arbitrary - those on the site itself are not.

Now, we can have only a limited number of actions handling arbitrary files. Those are the three following:

[*] Arbitrary File Deletion

[*] Arbitrary File Overwriting

[*] Arbitrary File Uploading[

Arbitrary File Deletion

Such method is most usually implemented on websites that lack directory access permissions or do not have any at all. In that case, the hacker can easily directly access the page for file deletion. It is most usually used for random websites, since exploring a targeted website could take quite a lot of time in order to find the path (if, of course, you don't already have the server-side files).

I've posted some dorks for arbitrary file deletion below:

inurl:"delete.php?file=" ext:php
inurl:"delete?filename=" ext:php
inurl:"delete.aspx?file=" ext:php
inurl:"action=delete?file=" ext:php

Let's say, we've found a website See Image

We can see in the URL the directory of ../delete.php?file=

In our case the target for deletion is a person's information board. It is just encoded in Base64 for some reason and resolves to the following string:

/www/egypt3/data/peop/Selvia,+John+and+Lisa/phone1

We may use this parameter to delete any file on the server that is hosted on this particular website as long as we are aware of the full path or manage to exploit a directory disclosure vulnerability.

Arbitrary File Upload

Get about some dork and find an uploading script.

inurl:"upload.php?file=" ext:php
inurl:"upload?filename=" ext:php
inurl:"upload.aspx?file=" ext:php
inurl:"action=upload?file=" ext:php

This is how my target looks like. A simple upload page (possibly without any filtration upon user input). See Image

Try and upload your shell directly. If not successful, spoof the extension to one of these using the null byte:


shell.php;.jpg
shell.php..jpg
shell.php.jpg;
shell.php.jpg:;
shell.php.jpg%;
shell.php.jpg%00
shell.php%00.jpg
shell.php.jpg;%00
shell.php.jpg%00:;

and upon uploading, tamper the POST request with Tamper Data (this has been covered on a lot of tutorials, and you could really easily search for it rather than me explaining it over and over again) so as to change the extension back to what it really is (.php). See Image

Whoops, :D we've got our c99 uploaded on their server. If that method of uploading did not work for you, try using a binder and spoof the extension properly.

Sursa: Antagonism Group and software

Edited by software
Arbitrary file Handling (tut)
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...