Server Access: Escalating Privileges through File Upload Bypass (RFU Bypass)

Hey everyone, hope you're all doing great!

I was working on a penetration testing project and stumbled upon something interesting

After bypassing the admin panel vulnerability, I reached the stage of uploading a shell to escalate privileges ..

There was an option to set a user profile, which included an uploader and a place to upload files!

Initially, it prevented me from uploading a PHP file and only allowed jpgs

I tried several different extensions like php5, php4, php7, phtml, shtml, etc. and realized it was using a blacklist instead of a whitelist .. !!

I experimented with different bypass methods and file extensions and, after some research, discovered the phar extension...

PHAR (PHP Archive) files are a type of archive file used for packaging and distributing PHP code and related resources

This format is similar to ZIP or TAR but specifically designed for the PHP environment

I successfully uploaded the shell and escalated my privileges.

Finally, I completed the report and sent it

I hope this helps. Feel free to ask if you have any questions

Here are some key takeaways:

• Always search and research

• Don’t get discouraged and try different methods

• Use a whitelist instead of a blacklist for better security and restriction

• Try to go as far as possible to write a more comprehensive report

————————————————————

You can read more about it on the link in below:

https://zvitox.medium.com/server-access-admin-panel-and-rfu-bypass-45af32057a2d