1
00:00:01,330 --> 00:00:05,870
In this lecture we're going to have a look on file upload vulnerabilities.

2
00:00:05,870 --> 00:00:12,080
These are the simplest type of vulnerabilities because they allow us to upload any type of file.

3
00:00:12,140 --> 00:00:15,690
So for example of the target computer can understand GHB.

4
00:00:15,800 --> 00:00:24,470
Then we can upload any BHP file or a BHP shell and get full control over the target's computer now as

5
00:00:24,470 --> 00:00:29,320
the target's computer or the target server understands Python or any other language.

6
00:00:29,360 --> 00:00:32,920
Then you can just upload Python code python shell or Ruby shell.

7
00:00:33,020 --> 00:00:39,830
You can create these shells Use Anvil evasion or meta exploit or you can use your own BHP or Python

8
00:00:39,890 --> 00:00:40,340
Shell

9
00:00:43,620 --> 00:00:49,050
what we're going to do today we're going to have a lock on a tool called Wheatley that generates BHP

10
00:00:49,050 --> 00:00:56,460
shells and allow us to gain access and do other a number of cool things on the target computer.

11
00:00:56,460 --> 00:01:01,640
So first of all I have my DV W here.

12
00:01:01,710 --> 00:01:06,240
And usually when you're trying to paint us the Web site what I recommend is before trying to use any

13
00:01:06,240 --> 00:01:11,910
tools or anything after you do your information gathering is you just go in and try to browse the Web

14
00:01:11,910 --> 00:01:14,400
sites you see what you can see.

15
00:01:14,640 --> 00:01:20,070
Just get a feel of the Web sites see what's installed on it and all that and try to exploit any features

16
00:01:20,070 --> 00:01:21,040
you see.

17
00:01:21,120 --> 00:01:26,890
So for example let's say you went on everything and then you reached the upload we can see that this

18
00:01:26,930 --> 00:01:29,040
Web site allow us to upload a file.

19
00:01:29,050 --> 00:01:35,050
Now this sometimes and in your penetration testing tasks it could be a Web site that's allowing you

20
00:01:35,050 --> 00:01:41,110
to upload a profile picture a picture if it's a classified Web site maybe it's allowing you to upload

21
00:01:41,110 --> 00:01:46,240
pictures of cars or whatever you're trying to add in the Web site.

22
00:01:46,280 --> 00:01:51,460
So as you can see here the Web site expects you to choose an image and upload an image.

23
00:01:51,530 --> 00:01:53,910
So let's see if we can upload an image first.

24
00:01:53,960 --> 00:02:01,400
So I'm gonna go on my downloads and I have a picture here in the resources just a picture of a car.

25
00:02:01,710 --> 00:02:08,480
I'm gonna upload it and see if it gets uploaded and we can see that the upload was successful and it's

26
00:02:08,490 --> 00:02:11,330
stored in this particular location.

27
00:02:11,340 --> 00:02:18,040
So it's dot dot dot dot which is which means to directories back and then this file name.

28
00:02:18,120 --> 00:02:20,990
So let's see if we can if the picture has actually been uploaded.

29
00:02:21,040 --> 00:02:25,200
So I'm taken away to directories and taking away the vulnerabilities and upload them.

30
00:02:25,260 --> 00:02:33,020
I want to use that and then we're going to get this location on the server just to see if the picture

31
00:02:33,020 --> 00:02:34,310
was uploaded properly.

32
00:02:38,110 --> 00:02:40,140
And as you can see the picture has been uploaded.

33
00:02:40,150 --> 00:02:41,150
So that's all good.

34
00:02:42,460 --> 00:02:47,950
Now the next thing we want to do let's try and upload a BHP file and to do that we're going to use a

35
00:02:47,950 --> 00:02:48,850
tool called.

36
00:02:48,850 --> 00:02:55,530
As I said to create a payload or a shell if you go if you want to call it and it's obvious it's gonna

37
00:02:55,570 --> 00:03:01,030
be IPH Richelle you can use me to ask asteroid as I said to create a BHP payload but we're going to

38
00:03:01,030 --> 00:03:08,090
be just having a look on a different tool that's designed for web application penetration testing so

39
00:03:08,090 --> 00:03:09,490
the tool is very easy.

40
00:03:09,500 --> 00:03:17,870
We're going to put the tool name which is we Lee and then we're going to put generate because we want

41
00:03:17,870 --> 00:03:24,230
to generate a payload or a shell file then we will put a password for that file so that on the US can

42
00:03:24,560 --> 00:03:28,570
access it and control the website when we upload it to the Web site.

43
00:03:28,580 --> 00:03:33,740
So my password is gonna be one two three four five six and then I'm gonna say what I want to store it

44
00:03:33,770 --> 00:03:41,960
and I want to store it in route and I'm gonna call it show that BHP so very simple We've Lee is the

45
00:03:41,960 --> 00:03:47,990
name of the program generators to generate a shell the password that the shell is going to authenticate

46
00:03:47,990 --> 00:03:53,990
us with and it's going to be stored in rude shell that BHP gonna hit enter and created.

47
00:03:53,990 --> 00:04:00,910
Now if I am already in my roots or if I just do allows I should see it and we can see it right here.

48
00:04:01,070 --> 00:04:05,150
So the next thing is we're just gonna go back to our Web site and try to upload that show

49
00:04:11,690 --> 00:04:18,770
and I'm going to look for shell and here it is going ahead on upload.

50
00:04:19,010 --> 00:04:23,960
And as you can see now is telling me the file has been uploaded successfully and it's in the same place

51
00:04:23,960 --> 00:04:25,300
that the picture was.

52
00:04:25,310 --> 00:04:32,540
So all we need to do now is we're going to use the same link and we're gonna use Waverly again to interact

53
00:04:32,630 --> 00:04:34,480
with that shell that we uploaded.

54
00:04:34,490 --> 00:04:38,500
Now let's first of all see if the shell exists and it's been uploaded properly.

55
00:04:38,510 --> 00:04:44,560
So I'm just gonna browse through my browser jailed with BHP.

56
00:04:44,740 --> 00:04:50,350
And you can see that you get a blank page so we're not getting 4 0 4 file not found which means that

57
00:04:50,410 --> 00:04:52,680
the file has been uploaded and it's there.

58
00:04:52,690 --> 00:04:56,430
So we're gonna try to interact with it from need to connect to it.

59
00:04:56,440 --> 00:05:01,980
We're gonna type in we've weekly and then we're gonna put the URL where the shell is.

60
00:05:02,000 --> 00:05:06,050
So this is where our shell has been uploaded and then we're gonna put the password.

61
00:05:06,060 --> 00:05:09,050
So my password was one two three four five six.

62
00:05:09,050 --> 00:05:10,330
Very simple really.

63
00:05:10,460 --> 00:05:13,890
The URL where the file is and one two three four five six.

64
00:05:13,910 --> 00:05:18,980
This is very simple it's similar to when you use your multi handler waiting for connections are connected

65
00:05:19,220 --> 00:05:19,940
to your back door.

66
00:05:20,150 --> 00:05:25,340
So we're literally just going to connect the back there that we uploaded and as you can see now we're

67
00:05:25,340 --> 00:05:26,770
in the file system.

68
00:05:26,780 --> 00:05:33,500
So from we've lived from this place you can actually just type in annually next command and you'll be

69
00:05:33,500 --> 00:05:37,460
able it'll be executed on the target computer and you'll see the result here.

70
00:05:37,490 --> 00:05:44,980
So if I do a p WD you'll see them that I'm involved w w w hackable uploads.

71
00:05:45,140 --> 00:05:55,660
And if I do an idea of I'll see my user at the moment which is the re WW data and if you do you name

72
00:05:55,690 --> 00:06:00,720
a just to confirm that this is the methods exploitable machine you'll see that this is the Linux with

73
00:06:00,730 --> 00:06:02,000
exploitable machine.

74
00:06:02,110 --> 00:06:07,720
Now we can do anything we want we can list of files we can navigate you can do any Linux command that

75
00:06:07,720 --> 00:06:08,260
you want to do.

76
00:06:08,260 --> 00:06:12,080
Now we have changed our place hasn't changed.

77
00:06:12,090 --> 00:06:16,310
We've also offers much more features than just this.

78
00:06:16,360 --> 00:06:22,630
So it actually allows you to do a number of cool things if you type and help you'll see all the cool

79
00:06:22,630 --> 00:06:24,660
stuff that you can do with Waverly.

80
00:06:24,670 --> 00:06:33,280
So you can try to escalate your privileges as execute Eskil queries and a lot of cool stuff that is

81
00:06:33,280 --> 00:06:36,670
just designed for web application penetration testing.

82
00:06:36,670 --> 00:06:43,620
For now I'm going to leave it at this and this just shows you how to use a file upload inabilities.