EvilZone

Hacking and Security => Hacking and Security => Topic started by: galihlprakoso on April 15, 2015, 11:09:15 AM

Title: [ASK] About Uploading Shell VIA JPG Tamper Data
Post by: galihlprakoso on April 15, 2015, 11:09:15 AM

Hello Master, I have a problem when i tried to Upload my shell..

I've already uploaded my shell .JPG in to the Site via Tamper Data i've changed it into PHP. The Problem is i don't know the path of that image. The image is exist but can't display because i know that is my shell.

The Problem is the URL of The Image folder is hidden by URL. The URL is not like this "images/name-of-the-image.jpg" but "ImageID=1011" the image is requested by Get system. This website is running in java.

I just want you to help how to see the real path of the Hidden Image folder?
sorry for my bad english. Thanks  ;)

Title: Re: [ASK] About Uploading Shell VIA JPG Tamper Data
Post by: Kulverstukas on April 15, 2015, 11:39:22 AM

Well, normally you just check the source or copy an image link... if it's all Java, then you'll need to either sniff it somehow or guess.

Title: Re: [ASK] About Uploading Shell VIA JPG Tamper Data
Post by: jefrey.sobreira on April 16, 2015, 12:30:44 PM

Try putting invalid chars on the ImageID parameters. Perhaps the site will throw an error from the server side saying that this file wasn't found for reading (not error 404). However, meaningful errors are more usual in PHP..

Title: Re: [ASK] About Uploading Shell VIA JPG Tamper Data
Post by: ekevjn on April 18, 2015, 04:09:45 AM

Try "ImageID=1011/whateveryouwant.php" 
       "ImageID=1011?whateveryouwant.php" 
      "ImageID=1011&whateveryouwant.php"
 Goodluck