09-04-2010, 01:05 PM
Comments please =D
(learning purposes only ^_^)
There are many ways to upload a shell to a website, by far the easiest and best way is via avatar image uploading. How to exploit it you might ask, well it's quite simple lets say you have a website that allows you too upload an avatar, the code for verifying the file is an image might look something like this:
This will strip everything before the "." and check if the file extension is in fact a image file, of course the code above doesn't check if its an image file, but it's just showing the basic principle of how file extension checks work.
So now to exploit it, we could go about this several ways, the easiest would to add two extension names,
The code above will only strip the text to the first "." and it will see .jpg.php but it wont check for the .php part which is the real file extension so basically .jpg is a ghost extension name
Another way to exploit an avatar image upload system is to use null meta-characters such as "%00" this will make sure that the system doesn't automatically add a new extension name like .jpg or .gif.
So I hope this helps you in some sort of way.
~3ethicalhackers.com
(learning purposes only ^_^)
There are many ways to upload a shell to a website, by far the easiest and best way is via avatar image uploading. How to exploit it you might ask, well it's quite simple lets say you have a website that allows you too upload an avatar, the code for verifying the file is an image might look something like this:
PHP Code:
function file_extension($filename)
{
return end(explode(".", $filename));
}
So now to exploit it, we could go about this several ways, the easiest would to add two extension names,
Code:
Example: "lolnotashell.jpg.php"Another way to exploit an avatar image upload system is to use null meta-characters such as "%00" this will make sure that the system doesn't automatically add a new extension name like .jpg or .gif.
Code:
Example: "lolnotashell..php%00.jpg" either that or "lolnotashell.php%00.jpg" sorry I forget which way it goes, I tired ha.So I hope this helps you in some sort of way.
~3ethicalhackers.com