File Upload bypass (.htaccess)
The upload function prevents users from submitting files with extensions that allow php code execution such as:
[ .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .phar and .inc ]
Check if you can upload .htaccess files. We can take advantage of this to get code execution. More information can be found here onsecurity.io.
The .htaccess file is not an RCE vector by itself, but it allows the creation of new legitimate PHP extensions that are allowed by the web application.
Exploiting .htaccess to add new PHP extension
We create our new .htaccess file which includes a new allowed extension of
Upload simple php shell
Upload php reverse shell
- remember to change extenstion to .evil ❗