help needed in retieving the uploaded shell - Web Application Security

mandi

hi guys,
I have been learning some basic web-application exploitation these days,
today i have been trying the basic exploitation

i.e exploiting arbitrary file uploads

i have been practicing this on my friends
jsp web-site running with Apache-Coyote/1.1...,

i had successfully uploaded the shell with a file name like this


commander&#46;jsp&#46;%%&#46;jpeg

but while i tried to retrieve the shell after uploading i am getting error like this


The image \"http&#58;//target&#46;com/state/userregistrationimages/previewtemp/photo-1314340617178&#46;jpg\" can not be displayed,because it contains errors

Also the web-server supports the following http methods "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS"

when i check with some tools ...

I would like to retrieve my uploaded shell,

is it possible to do that ?

Any suggestions/advice please?

makesomecoffee

said:
hi guys,
I have been learning some basic web-application exploitation these days,
today i have been trying the basic exploitation

i.e exploiting arbitrary file uploads

i have been practicing this on my friends
jsp web-site running with Apache-Coyote/1.1...,

i had successfully uploaded the shell with a file name like this
commander&#46;jsp&#46;%%&#46;jpeg
but while i tried to retrieve the shell after uploading i am getting error like this
The image \"http&#58;//target&#46;com/state/userregistrationimages/previewtemp/photo-1314340617178&#46;jpg\" can not be displayed,because it contains errors
Also the web-server supports the following http methods "GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS"

when i check with some tools ...

I would like to retrieve my uploaded shell,

is it possible to do that ?

Any suggestions/advice please?

Hi, according to the error that you pasted, it seems like the script that you are calling (userregistrationimages/previewtemp/) tries to read your shell as a picture, then it triggers the error.

In this case, what you should do is to analyze and guess the real path where the shell was uploaded.

You could do this by browsing the website and looking for the places where the another images are fetched from.

Additionally, I would recommend you to review the technique you are using when you upload the file, perhaps instead of %% you could use %00 to break the string.

1- check if the path is the correct one.
2- check if there's no other way to make the arbitrary upload.
3- check if the file is actually being uploaded.

You can also try to break the string and upload a real picture, in order to see if it's working:

pic.jpeg.%%.jpeg

Good luck; :)

cyberpirate

can you suggest me any good book for web exploitation plz.. thanks[hr]
help plz suggest me any good book for learning web exploitation..plz

Sh3llc0d3

Web Application Hackers Handbook.

mandi


can you suggest me any good book for web exploitation plz&#46;&#46; thanks help plz suggest me any good book for learning web exploitation&#46;&#46;plz

check owasp site


https&#58;//www&#46;owasp&#46;org/index&#46;php/Main_Page
https&#58;//www&#46;owasp&#46;org/index&#46;php/Category&#58;Attack

read those articles and understand them,before that have a good understanding about the working of the http protocol


http&#58;//www&#46;ietf&#46;org/rfc/rfc2616&#46;txt

once you are done,start learning those vulnerabilities inside web-goat,these are the things i am following now :)


Hi, according to the error that you pasted, it seems like the script that you are calling (userregistrationimages/previewtemp/) tries to read your shell as a picture, then it triggers the error&#46;

In this case, what you should do is to analyze and guess the real path where the shell was uploaded&#46;

You could do this by browsing the website and looking for the places where the another images are fetched from&#46;

Additionally, I would recommend you to review the technique you are using when you upload the file, perhaps instead of %% you could use %00 to break the string&#46;

1- check if the path is the correct one&#46;
2- check if there's no other way to make the arbitrary upload&#46;
3- check if the file is actually being uploaded&#46;

You can also try to break the string and upload a real picture, in order to see if it's working&#58;

pic&#46;jpeg&#46;%%&#46;jpeg

Good luck; &#58;)

@makesomecoffee------>yes mate,i even tried some of the things you said
i even crawled the entire site with accunteix and tried to look for the uploaded image but i couldn't find it,but while i do some manual surfing i find the uploaded image,when i opened it ,it shows that error,but still i need to try "%00" this extension

1-yes it is correct path
2-there is a another upload section there,but it seems same thing is happening there...
3-I am sure the file is uploaded,but the problem is it is not working...

regarding the last thing,i still need to check like that..

and do you want to have a look at the ORIGINAL URL?

Also while i checked the web-server i found another interesting thing
i found out the following http methods are being supported


GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS

I am sure some of the methods enabled in this server looks dangerous,looking for some way to exploit these....

If you have any advice for this please feed me :)
i am hungry....

Howdy, Stranger!

Top Posters

Who's Online (1)