File Uploads
WebShells
One good option for PHP
is phpbash, which provides a terminal-like, semi-interactive web shell.
SecLists provides a plethora of web shells for different frameworks and languages.
Cheatsheet
PHP Web Shell | |
PHP Reverse Shell | |
List of Web Shells and Reverse Shells |
ByPasses
Command | Description |
Client-Side Bypass | |
| Toggle Page Insepctor |
Blacklist Bypass | |
| Uncommon Extension |
| Case Manipulation |
List of PHP Extensions | |
List of ASP Extensions | |
List of Web Extensions | |
Whitelist Bypass | |
| Double Extension |
| Reverse Double Extension |
| Character Injection - Before/After Extension |
Content/Type Bypass | |
List of Web Content-Types | |
List of All Content-Types | |
List of File Signatures/Magic Bytes |
XSS
Many file types may allow us to introduce a Stored XSS
vulnerability to the web application by uploading maliciously crafted versions of them.
The most basic example is when a web application allows us to upload HTML
files. Although HTML files won't allow us to execute code (e.g., PHP), it would still be possible to implement JavaScript code within them to carry an XSS or CSRF attack on whoever visits the uploaded HTML page.
we can include an XSS payload in one of the Metadata parameters that accept raw text, like the Comment
or Artist
parameters, as follows:
XSS attacks can also be carried with SVG
images, along with several other attacks. Scalable Vector Graphics (SVG)
images are XML-based, and they describe 2D vector graphics, which the browser renders into an image. For this reason, we can modify their XML data to include an XSS payload. For example:
XXE
With SVG images, we can also include malicious XML data to leak the source code of the web application, and other internal documents within the server
we can also use XXE to read source code in PHP web applications:
Injections in File Name
For example, if we name a file file$(whoami).jpg
or file`whoami`.jpg
or file.jpg||whoami
, and then the web application attempts to move the uploaded file with an OS command (e.g. mv file /tmp
), then our file name would inject the whoami
command, which would get executed giving us RCE.
Similarly, we may use an XSS payload in the file name (e.g. <script>alert(window.origin);</script>
), which would get executed on the target's machine if the file name is disabled to them. We may also inject an SQL query in the file name (e.g. file';select+sleep(5);--.jpg
), which may lead to an SQL injection if the file name is insecurely used in an SQL query.
Last updated