1
00:00:01,630 --> 00:00:08,380
Right so now that we managed to upload a file to the target computer using the low security level let's

2
00:00:08,380 --> 00:00:12,790
see if we can do it if we increase the security of the Target Web site.

3
00:00:12,820 --> 00:00:19,680
So I'm going to exit out of this and I'm going to go to my burnable Web.

4
00:00:20,110 --> 00:00:25,780
Let's go to the security settings and add this before it was set to load.

5
00:00:25,810 --> 00:00:28,260
So I set it there to medium.

6
00:00:28,480 --> 00:00:33,080
Then click on submit and now the security level is medium.

7
00:00:33,100 --> 00:00:40,420
So let's go back to our file upload and try to upload our show right here the same shot that we uploaded

8
00:00:40,420 --> 00:00:41,050
before.

9
00:00:42,810 --> 00:00:45,540
And I'm going to click on upload the exact same way.

10
00:00:46,020 --> 00:00:51,810
And as you can see it say your image was not uploaded and it's complaining about the headers.

11
00:00:53,720 --> 00:00:59,150
Let's see if we can upload an image so let's just make sure that the program didn't break and we can

12
00:00:59,150 --> 00:01:00,590
still upload images.

13
00:01:00,620 --> 00:01:05,580
So I'm just going to upload the same image again the camera image and I'm going to upload.

14
00:01:05,910 --> 00:01:11,280
And as you can see you we can upload images but we cannot upload BHP files.

15
00:01:11,330 --> 00:01:13,950
So obviously now the target is more secure.

16
00:01:15,380 --> 00:01:21,620
And now we're approaching this from a black box point of view so we don't have the source code to see

17
00:01:21,620 --> 00:01:22,380
what's happening.

18
00:01:22,550 --> 00:01:26,770
So there's a number of ways that you can filter the files uploaded.

19
00:01:26,780 --> 00:01:32,620
One method is to check if the file is an image to check the file type.

20
00:01:32,660 --> 00:01:34,430
If it's an image then upload it.

21
00:01:34,490 --> 00:01:36,020
Otherwise don't do that.

22
00:01:36,160 --> 00:01:39,280
If that's the way that they're doing it then we can bypass that.

23
00:01:39,560 --> 00:01:42,280
So let's see how we can do that first.

24
00:01:42,350 --> 00:01:49,900
The file is being uploaded using a post method so to modify the post for amateurs we're going to use

25
00:01:50,080 --> 00:01:51,460
virtus.

26
00:01:51,470 --> 00:01:57,700
I'm going to click on purpose with your.

27
00:01:57,920 --> 00:02:04,980
So we're going to go on the proxy site and proxy up and before we can use this we just need to set up

28
00:02:05,040 --> 00:02:13,910
our browser to use purposes.

29
00:02:14,130 --> 00:02:15,460
I'm going to click OK.

30
00:02:15,870 --> 00:02:22,400
And now everything I do on this browser right here will be sent through verb proxy.

31
00:02:22,500 --> 00:02:28,490
So we're going to do is we're going to modify our file right here the shadows BHB.

32
00:02:28,700 --> 00:02:34,940
And because we can upload Jaypee images I'm going to rename this file and I'm going to call a shell

33
00:02:34,990 --> 00:02:39,380
that GBG.

34
00:02:39,390 --> 00:02:46,070
Now obviously if I upload this file this way it's not going to work because it has AJP and not a PH

35
00:02:46,080 --> 00:02:47,070
B extension.

36
00:02:47,130 --> 00:02:50,180
So the target's computer or the target server.

37
00:02:50,220 --> 00:02:55,710
When I try to run it it's all just right around as an image and I want to be able to execute the code

38
00:02:55,710 --> 00:03:02,500
that I want to so we're going to upload that as an image first and then we're going to intercept it

39
00:03:02,570 --> 00:03:07,530
in burp soothe and convert its extension to BHB to bypass the filter.

40
00:03:09,050 --> 00:03:11,110
Let me do it and it'll become more clear.

41
00:03:11,110 --> 00:03:15,880
So I'm going to click on that UPDF upload it.

42
00:03:16,030 --> 00:03:19,400
Now this uploads has been intercepted in here.

43
00:03:19,840 --> 00:03:21,590
And let's see what happens.

44
00:03:21,590 --> 00:03:24,780
So you can see that the file is being uploaded.

45
00:03:24,880 --> 00:03:31,640
The content type is trying to be image that jpeg and the image of the GBG.

46
00:03:31,690 --> 00:03:38,250
Now what we're going to do is we're going to modify that and said this to Peachtree and we're going

47
00:03:38,250 --> 00:03:40,970
to leave the Content-Type to image.

48
00:03:41,040 --> 00:03:46,700
This will allow us to bypass the filter and it will store our file as Shellback ph.

49
00:03:46,710 --> 00:03:51,630
We now just to make sure that this is not going to overwrite the old shell and you'll think that nothing

50
00:03:51,630 --> 00:03:52,520
got uploaded.

51
00:03:52,530 --> 00:03:54,370
I'm going to call it Scheldt to do it.

52
00:03:54,370 --> 00:03:56,780
BHB.

53
00:03:56,970 --> 00:03:58,130
So that's it.

54
00:03:58,150 --> 00:04:01,970
I'm going to forward this packet.

55
00:04:02,170 --> 00:04:04,700
And as you can see now we get a message Salian.

56
00:04:04,760 --> 00:04:09,400
Now the file has been uploaded and it's called shell to those BHB.

57
00:04:09,410 --> 00:04:14,870
Now if we go back to our terminal and use the same as you are using before because it's the same shell

58
00:04:14,870 --> 00:04:19,970
same password I'm just going to call a shell to the THP and try to communicate with it.

59
00:04:20,030 --> 00:04:26,420
I'm going to hit enter and as you can see now I managed to connect to the target computer or to the

60
00:04:26,420 --> 00:04:34,220
target server and I managed to upload my show by intercepting the packet and changing the file name

61
00:04:34,250 --> 00:04:36,440
from J.P. g to PH B.