Today i want to share some techniques which i use to bypass the uploaders to upload shell i hope you will find this article informative.
Hackers always try to find a way inside to exploit and upload their shell to the server or website and for this many times they have to face the restricted uploaders like some uploaders allow only image files like .jpg or .gif etc.
Uploaders actually work in a same way rather they are in php , asp , aspx or any other file format but the technique from which the up loaders detect the shell is same and below are the methods by which uploaders detect the shell.
How They Detect the Shell / virus
- By Name
- By Source Code
As i have mentioned the two types of uploaders the one is By name and the second is by Source code now below are the ways by which they detect the uploaders.
- By Name
- Disallows the file if it consists .php name
- Allow,s the file if it consists .jpg
- Allows the file if it consists ‰PNG ( It is Included in every PNG Image file in Starting )
- Disallow,s the file if it consists of <?php ( included in every php file in starting )
First We will cover the topic No 1
Many Uploaders only detect the php file by its name like if our shell is named shell.php it will read its name and will disallow it but how could we by pass it ?
- We can bypass the uploader by creating a combination of upper case and lower case in php file like .PhP or pHP or pHp
- we can also bypass it by simply adding .png name in its name before .php because we know that many uploaders read the name of a file and if it contains .png or .jpg in its name they will alow that file to upload example shell.png.php or shell.png.pHp
One of the most popular advance method used by attackers or hackers is by editing the HTTP Request and sending a customized request to the server and this method works for many peoples.
We will use a Firefox add-on for this purpose so download it by clicking here ( Live HTTP Headers )
First Rename the shell file into .jpg like mine is cmd.asp i will rename it into cmd.jpg
Now we have this uploader and chose your cmd.jpg or the file which you want to upload
Now after chosing your file , in FireFox click on Tools > Live Http Headers >
And after this Live Http Headers will start up and make sure that capture box is checked and after click on upload to upload your file and Live Http Headers will start capturing the Http packets.
Now Scroll Upside and try to find the name of your file like mine is cmd.asp and after finding that click on it and click on replay and after clicking on it a new window will pop up like below
Now After clicking on replay you will get the name of your file like cmd.asp and rename it into cmd.jpg.asp and now click on replay and it will resend the http customized request to the server by saying that it is an image file even if named .asp server will allow it because of the http customized request.
And in this way we can also bypass the uploader so our topic one got cleared now lets proceed to the topic to which is Detecting by reading the source code.
- By Reading the Source Code
So by adding some source code of picture in the starting of the php file this will allow us to bypass the uploader like below as shown in the picture so click on it to zoom.
Here we have opened one png image file in a notepad and copied the source code from starting of it and pasted it into the php shell file so when we will upload the uploader will scan the %PNG symbol and will allow the file to get upload but keep in mind that there are many uploaders which reads the complete source code and if there,s a <?php any where in the file this will deny the php file So also try to encrypt the php file.
إرسال تعليق