WEBVTT 00:00.540 --> 00:00.900 Okay. 00:00.900 --> 00:08.580 So now that we know how to use burp proxy and we already know how to exploit a basic file upload vulnerability, 00:08.610 --> 00:14.130 let's go ahead to the security settings and we're going to set the security to medium. 00:14.370 --> 00:17.310 We're going to submit to make sure that it is at medium. 00:18.060 --> 00:25.290 And we're going to go back to the file upload and here and keep in mind that the interceptor has been 00:25.290 --> 00:26.640 set to off so far. 00:26.640 --> 00:30.480 We're simply just testing and as usual will keep things simple. 00:30.480 --> 00:35.490 So when it's off, it's as if Burp is not working at the moment and we'll simply just going to try to 00:35.490 --> 00:41.520 upload the normal shell that we already have in my home directory right here, shell dot PHP, double 00:41.520 --> 00:43.770 click and upload. 00:44.250 --> 00:50.130 And when we do that, as you can see, we're going to get an error saying that the image was not uploaded 00:50.280 --> 00:53.520 probably because we changed the settings to medium. 00:53.520 --> 00:59.580 And if you're doing this on a real website, you'll know that this page has some kind of a check that 00:59.580 --> 01:03.540 is preventing us from uploading our PHP file. 01:03.690 --> 01:09.690 Now, just to make sure that the page is preventing us from uploading a PHP file and the page itself 01:09.690 --> 01:12.990 is not broken, let's try to upload a normal image. 01:12.990 --> 01:19.170 So again, going to my downloads, selecting the GTA image and click on upload, you'll see that the 01:19.170 --> 01:21.780 GTA image will be uploaded successfully. 01:21.780 --> 01:26.010 Therefore, we know now that the file upload functionality actually works. 01:26.010 --> 01:33.180 The only reason why it did not work with PHP because the page itself does not allow us to upload PHP 01:33.180 --> 01:33.900 files. 01:34.020 --> 01:40.380 Now there is a number of ways that this website might be preventing us from uploading a PHP file. 01:40.380 --> 01:46.980 The simplest one would be to simply check if the file is a PHP file using the extension or the file 01:46.980 --> 01:47.550 type. 01:47.760 --> 01:56.430 So let's go to the file manager and I'm going to simply rename my shell dot PHP file to an image file 01:56.430 --> 01:56.850 format. 01:56.850 --> 02:02.370 So instead of it being shell dot PHP, we're going to call it shell dot jpg. 02:03.090 --> 02:08.610 We're going to rename it like so go up and let's try to upload it again. 02:09.030 --> 02:13.170 So it's in my root and right now it's called dot jpg. 02:14.040 --> 02:20.910 Now keep in mind, uploading a JPG file like this usually does not work because the file extension is 02:20.910 --> 02:22.530 an image file extension. 02:22.710 --> 02:28.890 So what we're going to do is we're going to turn on our burp proxy and we're going to click on upload. 02:28.890 --> 02:36.450 And now we intercepted the upload request so we can see we have a post request to the upload directory 02:36.450 --> 02:40.500 in DB W a we can see the host is actually our target host. 02:40.500 --> 02:47.640 This is not being sent to another server and if we scroll down a little bit, we will see the file name 02:47.640 --> 02:54.510 in here set to shell the jpg and the content type is set to image jpg. 02:54.990 --> 03:01.350 So we're going to keep the content type the way it is and we're simply going to change the file name 03:01.350 --> 03:04.920 in here from jpg to PHP. 03:05.160 --> 03:09.840 And just so you know that this is actually our file going to get uploaded and it's not the previous 03:09.840 --> 03:13.200 one, I'm going to call it Shell two dot PHP. 03:13.590 --> 03:20.160 So all we're doing right now is once we clicked on upload in here, the web page sent a request to the 03:20.160 --> 03:26.610 web server, but before this request reached the web server, we intercepted it in here and we're keeping 03:26.610 --> 03:27.540 everything the same. 03:27.540 --> 03:29.790 So it looks a little bit more like an image. 03:29.790 --> 03:35.660 We're still saying the content type is an image type, but we simply rename the file from Shell dot 03:35.670 --> 03:41.280 jpg to Shell Dot PHP, effectively changing its extension. 03:41.280 --> 03:47.490 Therefore once uploaded, hopefully it will actually be treated as a PHP file and therefore should allow 03:47.490 --> 03:49.320 us to control the web server. 03:49.620 --> 03:52.320 There is no guaranteed way of knowing that this works. 03:52.320 --> 03:54.990 You'll simply have to try and see if it works. 03:54.990 --> 03:55.990 So let's try. 03:56.010 --> 04:00.000 We're going to click on Forward, Forward and Perfect. 04:00.000 --> 04:05.850 Now, based on this message that we got in here, it's telling us that Shell to Deutsch PHP has been 04:05.850 --> 04:07.470 successfully uploaded. 04:07.470 --> 04:08.670 So that's amazing. 04:08.670 --> 04:14.130 Now let's go to our terminal and try to connect to it and see if it actually works. 04:14.400 --> 04:17.310 So we're going to use the same command that we used earlier. 04:17.310 --> 04:21.690 The only difference is the file name now is called Shell two dot PHP. 04:21.720 --> 04:24.780 We're going to hit enter and perfect. 04:24.780 --> 04:28.230 As you can see, we managed to connect to the target server. 04:28.230 --> 04:34.550 We can do ID to verify and now we can use all of the features that we've allows us to use. 04:34.560 --> 04:38.520 We're going to talk about that later on in the post exploitation section. 04:38.520 --> 04:45.870 But basically now we manage to bypass the check that this particular web page has in the medium difficulty 04:45.870 --> 04:51.630 and upload a file to it that allows us to control this web server remotely. 04:52.050 --> 04:54.510 All of that thanks to burp proxy. 04:54.660 --> 05:00.450 The main idea in here, as mentioned earlier, this can be applied in so many scenarios whenever you 05:00.450 --> 05:07.200 want to bypass security or bypass checks or see the hidden requests that a web application might be 05:07.200 --> 05:08.940 sending to the web server.