2016-10-18 11:13:23 +00:00
# Upload
2018-08-12 21:30:22 +00:00
2017-06-04 15:22:26 +00:00
Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
2016-10-18 11:13:23 +00:00
2019-03-03 15:31:17 +00:00
## Tools
- [Fuxploider ](https://github.com/almandin/fuxploider )
2016-10-18 11:13:23 +00:00
## Exploits
2018-08-12 21:30:22 +00:00
### PHP Extension
```powershell
2016-10-18 11:13:23 +00:00
.php
2019-02-15 15:00:50 +00:00
.php3
.php4
.php5
.php7
2016-10-18 11:13:23 +00:00
2019-02-15 15:00:50 +00:00
Less known extensions
2016-10-18 11:13:23 +00:00
.pht
2019-02-15 15:00:50 +00:00
.phar
.phpt
2016-10-18 11:13:23 +00:00
.pgif
.phtml
2019-02-15 15:00:50 +00:00
Double extensions
2016-10-18 11:13:23 +00:00
.jpeg.php
2019-02-15 15:00:50 +00:00
.jpg.php
2016-10-18 11:13:23 +00:00
.png.php
```
2019-02-15 15:00:50 +00:00
### Upload tricks
2018-08-12 21:30:22 +00:00
2019-03-06 23:03:25 +00:00
- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()`
2019-02-15 15:00:50 +00:00
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
2018-08-12 21:30:22 +00:00
2019-02-15 15:00:50 +00:00
### Picture upload with LFI
2016-10-18 08:01:56 +00:00
2019-02-15 15:00:50 +00:00
Valid pictures hosting PHP code. Upload the picture and use a local file inclusion to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"` .
2018-08-12 21:30:22 +00:00
2019-02-15 15:00:50 +00:00
- Picture Metadata, hide the payload inside a comment tag in the metadata.
- Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating `getimagesize()` and `imagecreatefromgif()` .
2018-08-12 21:30:22 +00:00
2019-02-15 15:00:50 +00:00
### Configuration Files
2017-06-04 15:22:26 +00:00
2019-02-15 15:00:50 +00:00
- .htaccess
- web.config
- httpd.conf
- \_\_init\_\_.py
2017-06-04 15:22:26 +00:00
2019-02-15 15:00:50 +00:00
### CVE - Image Tragik
2017-06-04 15:22:26 +00:00
2019-02-15 15:00:50 +00:00
```powershell
HTTP Request
Reverse Shell
Touch command
2017-06-04 15:22:26 +00:00
```
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
2017-06-04 15:22:26 +00:00
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
2019-02-15 15:00:50 +00:00
* [BookFresh Tricky File Upload Bypass to RCE, NOV 29, 2014 - AHMED ABOUL-ELA ](https://secgeek.net/bookfresh-vulnerability/ )
* [Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil ](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/ )
* [La PNG qui se prenait pour du PHP, 23 février 2014 ](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/ )