sAjibuu / Upload_Bypass

A simple tool for bypassing file upload restrictions.
GNU General Public License v3.0
781 stars 126 forks source link

Character encoding errors between files and base64 from Burp Suite - POSSIBLE SOLUTION #10

Closed bw00lley closed 8 months ago

bw00lley commented 8 months ago

I was using Upload_Bypass for the first time to test a target and I couldn't make it work unless I changed most codecs from latin-1 to utf-8. I'm not sure if this is local to my setup, but might be worth adding in a test to check the encoding before assuming which codec to use in burp_file.py.

Initially I got this error from this command:

┌──(user㉿kali)-[~/Upload_Bypass]
└─$ python3 upload_bypass.py -b burpfile.burp -s /success.php -e php -a png

*** This tool works only with Burp Suite output files! ***

Python Tool for bypassing upload restriction by different bug bounty techniques covered in Hacktricks
Coded by: Sagiv
github: https://github.com/sAjibuu

Disclaimer: The use of this tool and techniques should only be performed with proper authorization and consent from the targeted systems or networks. Unauthorized use can lead to legal consequences. It is the responsibility of the user to ensure that t
he tool is used for its intended purpose and not for any malicious or illegal activities.

[-] Trying different variations of php extensions technique!
[-] Try 1 failed.
Traceback (most recent call last):
  File "/home/user/Upload_Bypass/upload_bypass.py", line 374, in <module>
    main()
  File "/home/user/Upload_Bypass/upload_bypass.py", line 368, in main
    file_extension.burp(output_folder, current_version, latest_version, status, burpFile, uploadMessage, fileExtension, allowedExtension, proxies, tls, bruteForce,
  File "/home/user/Upload_Bypass/lib/file_extension.py", line 263, in burp
    counter = magicBytes(output_folder, current_version, latest_version, absolute_path, technique, status, allowedExtension, ext, counter, filename_ext,
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/Upload_Bypass/lib/file_extension.py", line 59, in magicBytes
    burp_file.magic_bytes(output_folder, current_version, latest_version, allowedExtension, absolute_path, technique, status, counter, fileExtension, filename_ext,
  File "/home/user/Upload_Bypass/lib/burp_file.py", line 701, in magic_bytes
    fileUpload.magicUpload(output_folder, current_version, latest_version, technique, status, extension,
  File "/home/user/Upload_Bypass/lib/fileUpload.py", line 57, in magicUpload
    response, session, contentType, headers, url = burp_file.upload(fileExtension,
                                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/Upload_Bypass/lib/burp_file.py", line 453, in upload
    file_data_new = file_data_new.encode("latin-1")
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
UnicodeEncodeError: 'latin-1' codec can't encode character '\u2030' in position 0: ordinal not in range(256)

Then after replacing all instances of latin-1 with utf-8 in burp_file.py I got this error instead with the same command:

┌──(user㉿kali)-[~/Upload_Bypass]
└─$ python3 upload_bypass.py -b burpoutput -s success.php -a png -e php

*** This tool works only with Burp Suite output files! ***

Python Tool for bypassing upload restriction by different bug bounty techniques covered in Hacktricks
Coded by: Sagiv
github: https://github.com/sAjibuu

Disclaimer: The use of this tool and techniques should only be performed with proper authorization and consent from the targeted systems or networks. Unauthorized use can lead to legal consequences. It is the responsibility of the user to ensure that the tool is used for its intended purpose and not for any malicious or illegal activities.

[-] Trying different variations of php extensions technique!
Traceback (most recent call last):
  File "/home/user/Upload_Bypass/upload_bypass.py", line 374, in <module>
    main()
  File "/home/user/Upload_Bypass/upload_bypass.py", line 368, in main
    file_extension.burp(output_folder, current_version, latest_version, status, burpFile, uploadMessage, fileExtension, allowedExtension, proxies, tls, bruteForce,
  File "/home/user/Upload_Bypass/lib/file_extension.py", line 251, in burp
    filename_ext, response, successMessage, bruteForce, absolute_path = eicarOrShell(output_folder, current_version, latest_version, technique, status, ext,
                                                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/Upload_Bypass/lib/file_extension.py", line 127, in eicarOrShell
    filename_ext, response, successMessage, bruteForce = fileUpload.fileUpload(output_folder, current_version, latest_version, technique, status, fileExtension,
                                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/Upload_Bypass/lib/fileUpload.py", line 125, in fileUpload
    response, session, contentType, headers, url = burp_file.upload(fileExtension, filename_ext,
                                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/user/Upload_Bypass/lib/burp_file.py", line 371, in upload
    content = content.decode('utf-8')
              ^^^^^^^^^^^^^^^^^^^^^^^
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x82 in position 765: invalid start byte

Finally, after changing utf-8 back to latin-1 for just the entry on line 371 that decodes the base64 from Burp Suite, it did work. Well, on this occasion it seems like the target is not vulnerable to this bypass technique, but the tool seemed to work.

sAjibuu commented 8 months ago

Thank you for notifying me. This weekend, I'm gonna release a major update that will fix almost everything, I have written it almost from scratch, and I have been working on it quite some time. It will introduce many new features and design. Alright, I won't spoil it here. All I'm saying is it worth the waiting :)