📖
NOTES
  • Welcome!
  • Reference
    • Hacking
      • Penetration Testing Resources Bookmarks
        • Research Links
        • Cheat Sheet
        • Learning/Training
        • Tools
        • Payloads
        • Shell
        • AI
        • Reads
        • Podcast
        • Social Engineering
      • Web/App Pentesting
        • SQL Injection
          • SQL Injection In The URL
          • SQL Injection In The Search Field
          • SQL Injection in Login forms
          • Boolean SQL Injection Blind
          • Time based SQL Injection Blind
          • Bypassing SQL Filters
          • SQL Injection with sqlmap
          • XPath Injection - Authentication Bypass
            • XPath Advanced Data Exfiltration
          • Payloads
        • XSS
          • Payloads
          • XSS Reflected
          • XSS Stored
          • Dom-based
          • Blind
        • Command Injection
          • Payloads
        • File Upload
          • Payloads
          • Bypass Filters
          • File Upload Tricks
        • SSRF
          • Payloads
        • LFI/RFI
          • Payloads
        • LDAP Injection
      • Port Swigger
        • Access control
          • Lab: Unprotected admin functionality
          • Unprotected admin functionality with unpredictable URL
          • User role controlled by request parameter
          • User ID controlled by request parameter, with unpredictable user IDs
          • User ID controlled by request parameter with password disclosure
        • Authentication
          • Username enumeration via different responses
        • Server-side request forgery (SSRF)
          • Basic SSRF against the local server
          • Basic SSRF against another back-end system
        • File Upload Vulnerabilities
          • Remote code execution via web shell upload
        • SQL Injection
          • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
      • Burp
        • Setting up Macro for intruder
      • ☁️Cloud
        • Tools
        • AWS
          • 🪣S3 Buckets
          • Amazon IAM
          • Dockers
            • Tools
        • Azure
        • GCP
      • Networking
        • Cheat Sheet
      • Hardware Hacking
        • Computer BIOS
    • HTML/CSS/JAVA
      • Tools
      • HTTP Response Status Codes
      • Bootstrap Templates
      • SSL
      • cURL
      • Grep
    • DataBase
      • My SQL
        • Cheat Sheet
        • Tools
    • PYTHON3
      • Code Resources
      • Python Reference Guide
        • Cheat Sheet
      • Code Projects
        • Jiggler Mouse
        • loan calculator
        • Bilnd LDAP Data Exfiltration
    • SEO
      • Tools
      • On-Page SEO
      • Local SEO and Keyword Research
      • Content Optimization
      • Technical SEO
      • Off-Page SEO Tools
      • Google Ads
    • Cloud
      • AWS
        • Light Sail
          • Hosting Website on Light Sail and Namecheap
        • Boto3
      • Azure
      • GCP
    • Files
      • PDF
Powered by GitBook
On this page
  1. Reference
  2. Hacking
  3. Web/App Pentesting
  4. File Upload

File Upload Tricks

Upload tricks

  • Use double extensions : .jpg.php, .png.php5

  • Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): .php.jpg

  • Random uppercase and lowercase : .pHp, .pHP5, .PhAr

  • Null byte (works well against pathinfo())

    • .php%00.gif

    • .php\x00.gif

    • .php%00.png

    • .php\x00.png

    • .php%00.jpg

    • .php\x00.jpg

  • Special characters

    • Multiple dots : file.php...... , in Windows when a file is created with dots at the end those will be removed.

    • Whitespace and new line characters

      • file.php%20

      • file.php%0d%0a.jpg

      • file.php%0a

    • Right to Left Override (RTLO): name.%E2%80%AEphp.jpg will became name.gpj.php.

    • Slash: file.php/, file.php.\, file.j\sp, file.j/sp

    • Multiple special characters: file.jsp/././././.

  • Mime type, change Content-Type : application/x-php or Content-Type : application/octet-stream to Content-Type : image/gif

    • Content-Type : image/gif

    • Content-Type : image/png

    • Content-Type : image/jpeg

    • Content-Type wordlist: SecLists/content-type.txt

    • Set the Content-Type twice: once for unallowed type and once for allowed.

  • Magic Bytes

    • Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.

      • PNG: \x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[

      • JPG: \xff\xd8\xff

      • GIF: GIF87a OR GIF8;

    • Shell can also be added in the metadata

  • Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character ":" will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. "file.asax:.jpg"). This file might be edited later using other techniques such as using its short filename. The "::$data" pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.")

PreviousBypass FiltersNextSSRF

Last updated 1 year ago