File Uploading
Marlon Smith
Upload Attack Vector
An Upload Attack Vector exists when a website application provides the ability to upload files. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system, forwarding attacks to backend systems, and simple defacement. It depends on what the application does with the uploaded file, including where it is stored.
Payload
Payload is the cargo of a data transmission. It is the part of the transmitted data which is the fundamental purpose of the transmission, to the exclusion of information sent with it (such as headers or metadata, sometimes referred to as overhead data) solely to facilitate delivery. In the analysis of malicious software such as worms, viruses and Trojans, it refers to the software's harmful results. Examples of payloads include data destruction, messages with insulting text or spurious e-mail messages sent to a large number of people. In summary, payload refers to the actual intended message in a transmission. In computer security, payload refers to the part of malware which performs a malicious action.
How does an Attacker create a payload?
A shell code is a small piece of code used as the payload in the exploitation of software vulnerability. It is called "shell code" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shell code.

How does an attacker execute a payload?
Once you have created the payloads and executed them on the remote victim you need to be able to interact with the payload. Single payloads that bind a shell listener to the host can be used outside of the framework. Most of the payloads are expecting communications to be coming from the framework. The framework contains a special exploit for use with external payloads called multi/handler. The multi/handler exploit provides the needed communication and framework hooks for the standalone payloads. To use the multi/handler you need to specify the remote payload used along with options that you want to set.
How does an attacker get the payload to connect back to their machine? The shell code can provide the attacker access to the target machine across the network. Remote shell codes normally use standard TCP/IP socket connections to allow the attacker access to the shell on the target machine. Such shell code can be categorized based on how this connection is set up: if the shell code can establish this connection, it is called a "reverse shell" or a connect-back shell code because the shell code connects back to the attacker's machine. On the other hand, if the attacker needs to create the connection, the shell code is called a bind shell because the shell code binds to a certain port on which the attacker can connect to control it. A third type, much less common, is socket-reuse shell code. This type of shell code is sometimes used when an exploit establishes a connection to the vulnerable process that is not closed before the shell code is run.

In addition to creating a PHP Payload, how does c99.php compare and contract?
The c99 PHP utility provides functionality for listing files, brute-forcing FTP passwords, updating itself, executing shell commands and PHP code. It also provides for connecting to MySQL databases, and initiating a connect-back shell session. In many ways it can be considered the web equivalent of the rootkits that successful attackers often download. In other ways it is the malware equivalent of PHPShell itself. c99 is often one of the utility programs that is either downloaded if a web server is vulnerable due