File uploads
Last updated
Last updated
Heavily inspired by PortSwigger - Web Security Academy
If there is no validation in place at all, one can just upload a malicious file.
cmd | description |
---|---|
If there is no proper file type validation in place, it may be possible to send a valid Content-Type
together with the malicious file.
If the malicous file can be uploaded but is not executed by the webserver, it may be possible to upload it to another directory, from which execution is possible.
Sometimes insufficient blacklist filtering is in place, which may be bypassed.
Instead of .php
use extensions like .php5
or .shtml
etc.
If possible, also try to enable execution by placing an .htaccess
file in the directory.
Depending on the validation mechanisms in place, some of the following may bypass them.
Case sensitive, e.g. cmd.pHp
Multiple extensions, e.g. cmd.php.jpg
URL encoding, e.g. cmd%2ephp
Null byte, e.g. cmd.php%00.jpg
Semicolons, e.g. cmd.php;.jpg
Multibyte encoding
Non recursive filters, e.g. cmd.p.phphp
E.g. using exiftool to add php code in the comment field of a jpg.
exec
Execute an external program
passthru
Execute an external program and display raw output
shell_exec
Execute command via shell and return the complete output as a string
system
Execute an external program and display the output