Bypass Filters
[1] changing file extension Common extensions to bypass PHP restrictions
png, jpg, phtml, phpt, php3, php4, php5, php6
#Example: shell.png.php
Common extensions to bypass Perl restrictions
.pl, .pm, .cgi, .lib
Common extensions to bypass JSP restrictions
.jsp, .jspx, .jsw, .jsv, and .jspf
Common extensions to bypass Cold Fusion restrictions
.cfm, .cfml, .cfc, .dbm
[2] Another method of changing extensions is by appending # after the original extension and then adding the required extension. #Example: shell.php#.png
[3] Another method of changing extensions is by using null bytes #Example shell.php%00.gif
changing content type and keeping file extension to fit the allowed extensions Example: intercept a burp request and change content type to this if your payload is in php
changing the magic number
Append GIF87a to the first line of the file and it will become JPEG
Using php zip filters We use PHP zip filters when the file's name that we upload to get RCE changes or is controlled by the web application. This means that if you upload a file named [shell] the web application will rename it
to any arbitrary name therefore we will not be able to call the RCE shell since the name of the file changes. #[Lets] take the below payload
First step would be to store this php payload in a php file such as [cmd.php] Next step to zip the php file into a zip file
Then you can use [curl] or the browser to upload the file. Last step it to trigger the shell is done by navigating to the uploads path on the target domain and locating the file. For example, for the above shell we can browse to the below URL to trigger the shell
Replace [filename] with the name you have found. The [%23] is the [#] character and [cmd] is the parameter through which the command will be executed. Using File Name Truncation File name truncation is a bypass method where the last four characters of the file get truncated. #[for] #[example] A file named [upload.php.png] won't get uploaded if the server filters for extensions such as [png]. One way to bypass this is to use long names enough to make the server omit the last four characters that happen to be [.png] so the final file name would be
To test this, you can create a variable such as [$URL] as the below shows
and use the [$URL] in a curl command to see the server response
Last updated