Monday, December 28, 2015

pentest - possible PHP upload file extension bypass

If upload file types seems to be checked in a proper way, here are some possibilities which maybe bypass you should give a try.

  • shell.jpg.php (satisfies as check for jpg only)
  • shell.jpg.PhP (obfuscation)
  • shell.php;.jpg (sometimes can ignore whats after ";")
  • shell.php%0delete0.jpg (the infamous NULL byte which comments out trailing text, remove the word delete so the zeros join together, blogspot strips this string!)
  • shell.php.test (defaults to first recognised extension ignoring "test")
  • shell.php.xxxjpg (still ends in .jpg, but not recognised extension so will maybe parse with php)
  • .phtml (a commonly used php parsed extension often forgotten about!)
  • .php3/.php4/.php5 (valid PHP extensions possibly left out of extension blacklists)