File Upload
Bypassing client-side restrictions
Delete the HTML containing the file type validation function, and it will allow us to upload the file.
Bypassing a file extension blacklist
Blacklists are another approach developers tend to take to restrict file uploads. And, perhaps he/she might have thought about all the malicious file extensions, there's always that one obscure extension that little to no one knows about.
Let's take a look at some common bypasses:
Bypassing a file extension whitelist
The approach to bypassing a whitelist differs a bit from the aforementioned case. Here, we will need to take advantage of an existing allow list that has strictly defined extensions or find any flaws in the parsing method or the regex pattern that has been used.
Let's take a look at some more bypasses, including ones with special encodings to take advantage of any loosely scoped regex pattern:
PHP Upload Filter Bypasses
Bypassing content type restrictions
Another approach developers take to restrict malicious files is by validating the content type of your uploaded file. In this case, we can attempt to set the content type to any allowed MIME type while leaving the file extension to our desired file type:
Magic bytes
The first few bytes (characters) of the contents of the file determine and identify the file type. These are also called magic bytes, magic numbers or file signatures in general.
Developers use these to validate the document and disregard the other parameters such as content type or file extension. Luckily for us, we can upload a file that passes through this validation with our malicious payload.
PDF PHP Inclusion
Create a file with a PDF header, which contains PHP code.
PHP into JPG Injection
Overwriting server configuration files
Suppose your target uses Apache to serve content over HTTP. Apache supports .htaccess configuration files. After we've figured out where our files are saved, we can attempt to either overwrite an existing .htaccess configuration file or create a new one.
PHP RCE
Last updated