0x0d 0x0aso sometimes you need to connect using
FEATto obtain some information of the FTP server:
%0d%0a(in double URL encode this is
%250d%250a) bytes and make the FTP server perform arbitrary actions. One of this possible arbitrary actions is to download content from a users controlled server, perform port scanning or try to talk to other plain-text based services (like http).
HELPThe server indicates which commands are supported
PORT 127,0,0,1,0,80This will indicate the FTP server to establish a connection with the IP 127.0.0.1 in port 80 (you need to put the 5th char as "0" and the 6th as the port in decimal or use the 5th and 6th to express the port in hex).
EPRT |2|127.0.0.1|80|This will indicate the FTP server to establish a TCP connection (indicated by "2") with the IP 127.0.0.1 in port 80. This command supports IPv6.
LISTThis will send the list of files in current folder
APPE /path/something.txtThis will indicate the FTP to store the data received from a passive connection or from a PORT/EPRT connection to a file. If the filename exists, it will append the data.
APPEbut it will overwrite the files
APPE, but if exists it won't do anything.
RETR /path/to/fileA passive or a port connection must be establish. Then, the FTP server will send the indicated file through that connection
REST 6This will indicate the server that next time it send something using
RETRit should start in the 6th byte.
TYPE iSet transfer to binary
PASVThis will open a passive connection and will indicate the user were he can connects
REST Xto avoid sending the characters you don't want to send (maybe to upload the request inside the file you needed to put some image header at the begging)
PORTto connect to the arbitrary server and service
RETRto send the saved request to the server.
RETR. Suggestions to try to avoid that are:
RETRinstruction to get the file)