I did my job very quickly after found a File Uploading Vulnerability in a website. I was pentesting a network remotely (Blackbox testing) and it was really hard. I often browsed their website. Even I did not able to ping their IP because it was firewall . My only rest thing to be done was Social Engineering and Web pentesting (Really i was confused!!! If the SE and Web hacking method does not work then perhaps my heart about to attacked !!! lol(my heart is not weak)). Anyway, I scanned the site with various vulnerability scanner ,,,, no luck!!! So I started browsing the site manually(and Google searching randomly, Truthfully dunno what to find).
Suddenly I found a personal file upload link which was hell to find the link but my google friend helped me much. The link was like : www.hired-me.org/test/personal/re_al/file2010.php . It just accept 3 types of file extension JPEG, TEXT,CSV. First time i did not think that this link has any vulnerability(Already confused for the fucking scanner!!!).
How i exploited:
First i upload a jpeg file and try to find the location where it is saved. It was also hard(My knowledge is sucks?). OK, At least i found the jpeg file is located in the www.hired-me.com/index/hidden/director/test.jpeg , Everything Okay. Now i quickly create a php file[test.php] :
I quickly try to upload the “test.php” and “test.jpeg.php” but error “Unknown File Extension” . This error make me sure that the file extension is filtered.
Again i renamed the “test.php” to “test.php.jpeg” . Now no error!!! wow!!
I quickly check www.hired-me.com/index/hidden/director/test.php.jpeg and the page display “This is test“. Now i decide to upload a real php backdoor. Then upload some rooting tools then created ssh and then compromised two additional machine. Job is done!!!
Feedback are welcome!!!