Insecure File Upload
File uploads can have a number of protections, both front-end and backend
Front end protections can be bypassed by using developer tools, backend require a bit more nuance. We can capture the request with Burpsuite and change the data being sent.
Changing the extension of the file as well as changing the header of the file (also called magic bytes) to match the approved file types can work here:
https://en.wikipedia.org/wiki/List_of_file_signatures
A good method is to upload a file that matches the approved file types, catch it in burp, then modify that request with the content we want to send through. Be sure the filename has the execution extension.
Block lists
If there is a blocklist that is blocking file extensions server-side, we can use valid php file extensions to try and bypass: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst
Null byte
On some older servers, we can bypass the server side check for the extension of the file by naming the file with our extension.accepted_extension and placing a null byte between the two:
shell.php%00.pngLast updated