File uploads
Heavily inspired by PortSwigger - Web Security Academy
Unrestricted
If there is no validation in place at all, one can just upload a malicious file.
exec
Execute an external program
passthru
Execute an external program and display raw output
shell_exec
Execute command via shell and return the complete output as a string
system
Execute an external program and display the output
Bypass file type validation
If there is no proper file type validation in place, it may be possible to send a valid Content-Type
together with the malicious file.
Upload file to another directory (path traversal)
If the malicous file can be uploaded but is not executed by the webserver, it may be possible to upload it to another directory, from which execution is possible.
Bypass file type filtering
Sometimes insufficient blacklist filtering is in place, which may be bypassed.
Instead of .php
use extensions like .php5
or .shtml
etc.
If possible, also try to enable execution by placing an .htaccess
file in the directory.
Obfuscating file extensions
Depending on the validation mechanisms in place, some of the following may bypass them.
Case sensitive, e.g.
cmd.pHp
Multiple extensions, e.g.
cmd.php.jpg
URL encoding, e.g.
cmd%2ephp
Null byte, e.g.
cmd.php%00.jpg
Semicolons, e.g.
cmd.php;.jpg
Multibyte encoding
Non recursive filters, e.g.
cmd.p.phphp
Polyglot (php/jpg)
E.g. using exiftool to add php code in the comment field of a jpg.
Last updated