Ready to Start Your Career?

Using CMS Upload and Tamper Data to Obtain Administrative Access to a Webserver

baphomet1488 's profile image

By: baphomet1488

March 9, 2017

phpSo, you've done it. You have either successfully bypassed a CMS login or used SQL injection to obtain usernames and password hashes to the CMS and have decrypted the hashes.You are inside the system.What do you do now?The next logical step is privilege escalation.I like to use the WSO.php backdoor to obtain further access. (Shell is located here: https://github.com/tennc/webshell/blob/master/xakep-shells/PHP/wso.txt)Now, it is important to understand that most Content Management Systems are designed NOT to let you upload .php files to the server through the CMS administrative panel. There is a way to defeat these "protections" however. I accomplish this through the use of the Tamper Data Browser Add-On.  (You can find the plugin at: https://chrome.google.com/webstore/detail/tamper-chrome-extension/hifhgpdkfodlpnlmlnmhchnkepplebkb?hl=en)The method is very simple:You will need to send an HTTP GET request that tells the CMS that you would like to upload a picture file. Before The POST data is sent, you want to REMOVE the .jpeg file extension so that you have in fact uploaded your shell as a .php file, not a .jpeg file.Proof of Concept Steps:
  1. You will rename your shell as follows: shell.php.jpeg.
  2. Open the tamper data plugin.
  3. Browse to the CMS section that will allow you to upload a photo.
  4. Set the page to upload shell.jpeg.php but DO NOT submit the request to upload yet!
  5. On the tamper data plugin, click Start Tamper.
  6. On the CMS form submit the request to upload shell.php.jpeg
  7. You will then get a series of popups from the Tamper data plugin. Click "Tamper" with continue tampering checked on the popup window.
  8. You will be looking for a window to pop up that has the actual GET request and the POST request for uploading shell.php.jpeg
  9. In the POST request, you will need to edit the file name of shell.php.jpeg to shell.php. The file WILL NOT execute unless it is using the .php file extension!
  10. After the shell is uploaded, Navigate to the shells location in your browser, this will vary from CMS to CMS.Enjoy Administrative privileges!
From the shell, you can do things such as change the websites index page to your defacement page, delete everything, or even just show your friends and tell them how awesome you are!
Schedule Demo