..we will make a new module and not just some new module, nope let's make a fully automatic injection script! This tutorial is the first step into making this. Let's first explain what..
Mister LG can create upload forms and test targets on file upload vulnerabilities
<?php
/*
Exploitable file upload server
Author: Remco Kouw
Site: http://www.hacksuite.com
Last Edit: 25-02-2015
*/
define('IN_SCRIPT',1);
// set some paths
$_ROOT = str_replace("/TestServers","",substr($_SERVER['SCRIPT_FILENAME'],0,strrpos($_SERVER['SCRIPT_FILENAME'],"/")));
$sCurrentFile = substr($_SERVER['SCRIPT_FILENAME'],strrpos($_SERVER['SCRIPT_FILENAME'],"/")+1);
// get the current log folder
$_DYNAMIC_ROOT = "..";
include_once("../vars.php");
include_once("../paths.php");
$aLogFolder = explode("/",$_PATHS['log_root']);
$sLogFile = $_ROOT."/".$aLogFolder[(count($aLogFolder)-1)]."/".$sCurrentFile;
// include setup based upon file path
include_once($_ROOT."/Includes/server_setup.php");
// did we sent the form in order to login?
if(isset($_FILES[$_CONFIG['sFileUploadVar']])){
$aExtensions = explode(",",$_CONFIG['sExtensions']);
if($_FILES[$_CONFIG['sFileUploadVar']]['size']>$_CONFIG['iMaxB']){
die("File is too big");
}
if($_CONFIG['iCheckExtension']==1){
if($_CONFIG['iAllowFakeExtension']==0){
if(!in_array($_FILES[$_CONFIG['sFileUploadVar']]['type'],$aExtensions)){
die("Invalid file type");
}
}
}
$sDest = $_ROOT."/Uploads/".basename($_FILES[$_CONFIG['sFileUploadVar']]['name']);
if(move_uploaded_file($_FILES[$_CONFIG['sFileUploadVar']]['tmp_name'],$sDest)){
echo"File " .basename($_FILES[$_CONFIG['sFileUploadVar']]['name']). " has been successfully uploaded";
}
else{
echo"Failed to upload file";
}
}
else{
// create login form
echo"<html>\n";
echo"<head>\n";
echo"<title>Very Basic Upload System</title>\n";
echo"<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\">\n";
echo"<style type=\"text/css\">\n";
echo"<!--\n";
echo"body { font-family:Arial,Verdana,Helvetica;font-size:10px;color:#c0c0c0; }\n";
echo"-->\n";
echo"</style>\n";
echo"</head>\n";
echo"<body>\n";
echo"<form method=\"post\" enctype=\"multipart/form-data\" target=\"_blank\">\n";
echo"<b>file:</b> <input type=\"file\" name=\"".$_CONFIG['sFileUploadVar']."\"><input type=\"hidden\" name=\"MAX_FILE_SIZE\" value=\"".$_CONFIG['iMaxB']."\"><br />\n";
echo"<b>allowed files:</b> ".$_CONFIG['sExtensions']."<br />\n";
echo"<input type=\"submit\" name=\"submit\" value=\"Upload\">\n";
echo"</form>\n";
echo"</body>\n";
echo"</html>";
}
?>