Web Shell via Denylist Bypass!

Рет қаралды 20,399

Intigriti

Күн бұрын

Пікірлер: 37

@nicolaspanu7448 11 ай бұрын

Excellent video with a very clear explanation. Thank you very much for sharing this!

@intigriti 11 ай бұрын

Glad it was helpful! 💜

@Karmik_bhavya 2 ай бұрын

but when i tried added like .php5 it allowed me to upload the file but i wasn't able to execute the commands , i even tried going back a few directories to execute them but didn't work

@georgegreen9145 6 ай бұрын

Quick question. How did you know to map a random file extension to application/x-httpd-php? I tried mapping .php6 and .phtml to application/x-httpd-php, but I got an internal server error, but after googling for a while, I found out you can map a random extension and that's how I solved the lab.

@intigriti 6 ай бұрын

Heyyy, I didn't solve this challenge myself but I would guess that the .php6 and .phtml are already mapped extensions, so we would need a random one.. Maybe .php69 would work 🤔

@georgegreen9145 6 ай бұрын

@@intigriti I guess that means it's not possible to overwrite a previously defined extension 🤔. I guess I'm mad at myself for taking ages to think of this other approach 😅

@落珰 Жыл бұрын

你好厉害呀，支持你

@intigriti Жыл бұрын

谢谢 💜

@acronproject Жыл бұрын

Thanks, Mr.

@intigriti Жыл бұрын

🥰

@mahdizd2112 Жыл бұрын

Thanks for you video.. am working in real word website. I had the ability to upload! But didn't know the directory of the uploaded file. Is there anyway to know what is the directory of the uploaded file?

@intigriti Жыл бұрын

Thank you! Can you view your uploaded file? Can you download it? Or maybe copy/share a link to it? The path (and filename) might reveal itself when you explore the functionality like this. You could also try brute-forcing directories/files to see if you can locate it. Bare in mind you need to stick within the legal/ethical requirements of any bug bounty program, e.g. if you are brute-forcing, stick within the agreed limits.

@mahdizd2112 Жыл бұрын

Do you have discord?

@intigriti 11 ай бұрын

Yessss! go.intigriti.com/discord

@bhaveshtank1588 Жыл бұрын

Why wasn't the .htaccess file allowed to be executed by reloading the my account page and the shell file was immediately uploaded

@intigriti Жыл бұрын

The .htaccess file is not getting executed. It's just a configuration file instruction Apache on how to handle files within a specific folder.

@0xgodson119 2 жыл бұрын

Hmm. I have a question. We uploaded a .htaccess file. which is uploaded to /avatars/.htaccess . now, basically the server conf. are stored in the root dir of the server. we uploaded the .htaccess to /avatars dir. so, if we uploads a .htaccess to a dir, then the .htaccess conf. file with work only inside the dir right? it will not work as universal! am i right?

@frencikurti 2 жыл бұрын

Thats exactly what came up to my mind! I also think this trick might work IF AND ONLY IF the files are uploaded on root directory (or where the config files are exactly located). Not to mention that by doing such thing, the webapp will get messed up as you will be overwriting to the existing config files.

@intigriti 2 жыл бұрын

.htaccess files are not overwriting the overall server config. They are just an addition on a per-directory basis. So, in our case we are just adding an "AddType" config for the folder where we are allowed to upload files. It's not universal, no! Hope this clears things up a bit :)

@0xgodson119 2 жыл бұрын

@@intigriti Got it! , files only under /avatars/* and obey the .htacces rules. bcoz, we uploaded. its the nature of apache server!

@coyotatorolla Ай бұрын

It takes precedence over the global config only for the specific directory