1
00:00:00,120 --> 00:00:06,210
OK, so the next vulnerability that we're going to get into for Web applications is actually malicious,

2
00:00:06,210 --> 00:00:07,530
followable vulnerabilities.

3
00:00:07,830 --> 00:00:14,710
So when an application accepts file uploads, it may allow us to remotely execute code on that server.

4
00:00:15,030 --> 00:00:22,350
So depending on what checks the application actually does, we may be able to upload a malicious payload,

5
00:00:22,830 --> 00:00:29,130
which is just malicious code that does that excuse commands for us and probably connects back to our

6
00:00:29,130 --> 00:00:29,910
computer or something.

7
00:00:31,110 --> 00:00:37,590
We'll be able to actually up that, upload that to the server and then execute it by browsing through

8
00:00:37,590 --> 00:00:44,070
Internet browsing so we can use this, for example, to create a way to execute shell commands remotely.

9
00:00:44,100 --> 00:00:49,670
So let's go ahead and try to check out how we can potentially take advantage of malicious volleyball's.

10
00:00:50,130 --> 00:00:51,150
OK, so what?

11
00:00:51,150 --> 00:00:52,440
The file, upload screen.

12
00:00:52,440 --> 00:00:55,650
So just in Devoir, click on upload.

13
00:00:55,980 --> 00:01:01,980
So it says choose an image to upload, then we can click on here and we can browse and find a file.

14
00:01:02,530 --> 00:01:03,750
Then we clicked the upload button.

15
00:01:03,750 --> 00:01:08,780
So let's actually look at the source code just so we can have an idea of, you know, what's going on.

16
00:01:09,090 --> 00:01:16,920
So it makes a post request and it's looking for this upload to be set and you're OK.

17
00:01:17,020 --> 00:01:20,780
So right here, this sets where the file is going to get uploaded to.

18
00:01:20,790 --> 00:01:29,580
So we know that is going to be in the root directory for the database server and then it's going to

19
00:01:29,580 --> 00:01:31,280
be in this hackable folder.

20
00:01:31,290 --> 00:01:33,000
And then also this uploads folder.

21
00:01:33,180 --> 00:01:35,100
That's where the files will be at.

22
00:01:35,250 --> 00:01:41,880
And then whatever the name that's passed in with, the files are going to be set at the name and pretty

23
00:01:41,880 --> 00:01:43,440
much what to saying right here.

24
00:01:45,780 --> 00:01:47,100
This is what is going to say.

25
00:01:47,100 --> 00:01:50,160
Look at the file was unable to be uploaded there, attending.

26
00:01:50,160 --> 00:01:51,090
That is the image.

27
00:01:51,990 --> 00:01:54,330
But we're not really going to upload an image.

28
00:01:54,540 --> 00:01:59,400
And then also right here, this is what we're going to see if we actually successfully upload.

29
00:02:00,180 --> 00:02:06,390
So let's go ahead and exit back out and start to think about what we can do.

30
00:02:06,810 --> 00:02:15,530
So the source code doesn't really look to see if an image file is being uploaded so we can upload everyone.

31
00:02:15,570 --> 00:02:20,560
We know that PSP is operating on the back of the server so we can make a script.

32
00:02:20,910 --> 00:02:24,380
So what we can do is actually clear this out.

33
00:02:24,660 --> 00:02:29,700
So what we can do I have a file that I created is called It Showed Up.

34
00:02:30,660 --> 00:02:33,240
So we get showed.

35
00:02:34,380 --> 00:02:34,930
There we go.

36
00:02:35,160 --> 00:02:37,860
So it's a very, very simple script.

37
00:02:38,370 --> 00:02:41,220
And this is it's just going to be one thing.

38
00:02:41,220 --> 00:02:45,740
It's just going to grab, you know, a command line, pretty much going to grab a show.

39
00:02:46,050 --> 00:02:53,550
So this prescript start, as you've seen since we've been looking at source code for Vista, it starts

40
00:02:53,550 --> 00:02:59,400
with the less than Arrow questionmark and ends with the question mark.

41
00:02:59,400 --> 00:03:01,410
Any greater than symbol are you?

42
00:03:01,410 --> 00:03:02,460
Code goes in between.

43
00:03:02,490 --> 00:03:09,060
So all we're doing is the system we're call the system function and then it's going to get which actually

44
00:03:09,420 --> 00:03:15,700
this will spawn a shell and then it's going to do it and get request and look for what's set ACMD.

45
00:03:16,110 --> 00:03:24,120
So what we can do is actually upload this file and then browse to it in a browser because we know where

46
00:03:24,420 --> 00:03:30,670
it's being uploaded to and then we can actually pass in, you know, a command for CNBC.

47
00:03:30,690 --> 00:03:33,510
So let's go ahead and try that out so we can go over here.

48
00:03:33,520 --> 00:03:37,720
So let's just say Browse already have the shell files.

49
00:03:37,720 --> 00:03:41,000
So get so there we go.

50
00:03:41,400 --> 00:03:43,080
So I can upload.

51
00:03:43,230 --> 00:03:46,340
Now it says, OK, it's uploaded successfully.

52
00:03:46,650 --> 00:03:49,940
So what we can do is actually browse to it.

53
00:03:50,190 --> 00:03:53,130
So let's just do it right here.

54
00:03:53,490 --> 00:03:56,240
So do back out right here.

55
00:03:56,590 --> 00:04:03,600
Where is the directory as we know from the source code and then it's going to be hackable slash uploads

56
00:04:05,610 --> 00:04:08,960
and then slash and get shell PSP.

57
00:04:09,380 --> 00:04:14,930
If we just hit enter is just saying, like I cannot execute a blank command.

58
00:04:15,000 --> 00:04:18,700
So we know that is actually, you know, looking for a come in.

59
00:04:19,020 --> 00:04:21,810
So what we can do is try to pass in a command.

60
00:04:21,810 --> 00:04:26,990
So the way that we're going to do that, as you've seen with the URLs, will have to be followed.

61
00:04:27,000 --> 00:04:31,470
And I have a question mark and then we can start to pass in, you know, different variables and such.

62
00:04:31,650 --> 00:04:33,000
So we're going to do ACMD.

63
00:04:33,000 --> 00:04:34,680
Let's do however, as you see right here.

64
00:04:34,890 --> 00:04:36,260
So can you hear me?

65
00:04:36,810 --> 00:04:41,550
And then it's always with a W w dash data user.

66
00:04:41,550 --> 00:04:44,270
So what we can also do is just different stuff we can do.

67
00:04:44,280 --> 00:04:45,270
Who am I?

68
00:04:45,540 --> 00:04:50,150
We could do you know, let's see what's in this folder right now.

69
00:04:50,160 --> 00:04:57,540
We do a present working directory, so we have pretty much access to whatever we want on this system

70
00:04:58,050 --> 00:04:59,340
because not doing the.

71
00:05:00,000 --> 00:05:05,250
Correct checks, so now let's go back and since we know how to do that, you can imagine what we can

72
00:05:05,250 --> 00:05:07,330
do with that vulnerability right there.

73
00:05:07,350 --> 00:05:14,430
So let's crank it up to medium and actually medium difficulty and actually see what we can do.

74
00:05:14,670 --> 00:05:22,230
So we're going to go over to divi security, the medium we're going to hit submit, and then we'll go

75
00:05:22,230 --> 00:05:26,310
back over here and let's try this out, OK?

76
00:05:26,340 --> 00:05:30,930
So for the medium difficulty, follow upload winnability.

77
00:05:31,260 --> 00:05:35,130
What we can do is let's look at the source code and see what's different.

78
00:05:35,130 --> 00:05:41,580
So this time is looking for a name, is looking for and type in a size.

79
00:05:41,880 --> 00:05:49,950
And it's saying, hey, the type of father we upload is is an image or a jpeg and upload size less than

80
00:05:49,950 --> 00:05:50,490
this amount.

81
00:05:50,520 --> 00:05:51,960
We're going to allow it to be uploaded.

82
00:05:52,140 --> 00:05:55,080
Otherwise it's going to give this message.

83
00:05:55,080 --> 00:05:56,710
An image was not uploaded.

84
00:05:56,940 --> 00:06:03,530
So what we need to do is tricky into thinking that our profile is an image and we can do that with berp.

85
00:06:03,810 --> 00:06:05,620
So let's go ahead and try that out.

86
00:06:05,640 --> 00:06:06,760
So let's get out of here.

87
00:06:07,350 --> 00:06:08,940
Let's turn on our proxy.

88
00:06:10,590 --> 00:06:13,870
Let's go over to Bird, make sure that interceptor is on.

89
00:06:13,890 --> 00:06:17,770
So on the proxy intercept intercept is on.

90
00:06:18,600 --> 00:06:24,480
So now all we need to do one more thing that I did just to show that we're doing something different.

91
00:06:24,490 --> 00:06:27,750
So I made another file, which is a copy of the same file.

92
00:06:27,990 --> 00:06:35,040
It's called Get Another Shot, the same exact stuff, same exact just one line of people.

93
00:06:35,430 --> 00:06:37,520
So we're going to use that file.

94
00:06:37,800 --> 00:06:39,570
So let's go ahead and browse.

95
00:06:40,780 --> 00:06:46,850
Let's just get the shot at P and let's hit upload.

96
00:06:46,860 --> 00:06:52,220
So now it pulls up over and burped so we can modify this before it's enough.

97
00:06:52,560 --> 00:06:58,410
So instead of modifying up here, we're going to modify actually down here where this constant site

98
00:06:58,450 --> 00:06:59,340
application.

99
00:06:59,820 --> 00:07:03,570
So we're going to change this to image slash jpeg.

100
00:07:03,840 --> 00:07:06,900
And now what this is wants to do is make the request.

101
00:07:07,080 --> 00:07:11,940
Crewmembers say, hey, this is an image file and it's not really doing a check to make sure that it

102
00:07:11,940 --> 00:07:12,210
is.

103
00:07:12,240 --> 00:07:16,490
So we have forward that allows the request to go.

104
00:07:16,530 --> 00:07:25,920
We go back to the Web browser, hey, successfully upload it so now we can browse to so divi w a slash

105
00:07:25,920 --> 00:07:26,820
hackable.

106
00:07:27,520 --> 00:07:30,200
I don't want to send a proxy offers to us.

107
00:07:30,250 --> 00:07:32,190
It's going to stop it.

108
00:07:32,400 --> 00:07:43,560
Solice slash hackable slash uploads slash get another show hp.

109
00:07:44,190 --> 00:07:48,290
So the see it gives the same blank command issue.

110
00:07:48,300 --> 00:07:49,890
So let's do questionmark.

111
00:07:50,250 --> 00:07:54,670
CFD equals ellis' you know.

112
00:07:54,780 --> 00:07:56,510
So there we go.

113
00:07:56,520 --> 00:08:03,360
Now we see what now we, we see that we have a shell and we can see the different actually files that

114
00:08:03,360 --> 00:08:05,790
are in the directory right now is pretty neat.

115
00:08:06,480 --> 00:08:10,850
And that's how you would circumvent, you know, like a check for like just the filicide.

116
00:08:11,070 --> 00:08:14,160
OK, so let's take this up one more level.

117
00:08:14,160 --> 00:08:20,940
So let's go to security, bump it up to high hit submit and let's go back over to upload to see how

118
00:08:20,940 --> 00:08:24,560
the code is changed and see what we're going to have to do to circumvent it now.

119
00:08:24,960 --> 00:08:31,140
So the difference pretty much here is that it's going to be looking for a file extension.

120
00:08:31,140 --> 00:08:39,780
So it's going to look for something like jpeg jpg, any form of J-P jpg or JPEG in the same upload size.

121
00:08:39,780 --> 00:08:45,270
So we don't have an issue with upload size part, we just have an issue with the extension because let's

122
00:08:45,270 --> 00:08:53,190
go back and if we try to just upload our shell file upload, it's not going to upload.

123
00:08:53,700 --> 00:08:58,370
Your image is not uploaded because it does not the image based on, you know, the extension.

124
00:08:58,680 --> 00:09:01,740
So this was actually pretty simple.

125
00:09:03,060 --> 00:09:05,760
And you can see actually I've already done it in my directory.

126
00:09:05,760 --> 00:09:06,660
You can do it as well.

127
00:09:06,660 --> 00:09:08,490
Let's go to the camera during the quake.

128
00:09:08,700 --> 00:09:18,420
So let's just make a copy of get show up and let's just call it show that that jpg.

129
00:09:18,750 --> 00:09:27,000
So just by doing this is going to make the application think that is a JPEG file, but it's still going

130
00:09:27,000 --> 00:09:30,540
to execute as a PDF file when we browse to it.

131
00:09:30,810 --> 00:09:39,990
So let's go ahead and try to upload this browse, you see, get show speed jpg.

132
00:09:40,620 --> 00:09:48,150
So let's go ahead and try to get this in here, upload a successfully upload it because it's passed

133
00:09:48,150 --> 00:09:49,110
the extension check.

134
00:09:49,470 --> 00:09:55,020
So now it is actually browse through it and let's test to see if it works so hackable.

135
00:09:57,120 --> 00:09:58,570
Did you do the.

136
00:10:00,860 --> 00:10:13,310
Slash uploads, slash, get show that p g and let's just do this right here, Sandy Exubera and as you

137
00:10:13,310 --> 00:10:16,100
can see, it actually went ahead and executed.

138
00:10:16,500 --> 00:10:22,270
So even though it has that jpg extension on it, it's still thinks it's a free file.

139
00:10:22,430 --> 00:10:27,010
So that's the way that you can also bypass, you know, if it's doing an extension check.