‎ eveloper validates that the uploaded file

d
‎such as exe , php , ... and block them

i‎f it doesn’t check the case sensitivity of file

‎extension ‎we can use PHP , PhP , EXE , ExE

‎scenario 1 we can use old extention ‎.pht - .htmls ......

‎upload a file .htaccess

‎bypass
‎Blacklisting Dangerous files ‎change content type to text change
s‎ cenario 2 we can add a new configuration ‎content type to text
‎file ( .htaccess )
‎ dd this as payload to allow execute php
a
‎file with .lol extension ‎AddType application/x-httpd-php .lol

‎upload our php file as exploit.lol

‎block all case sensitive

‎mitigation
‎ .*\.(php|php1|php2|php3|php4|php5|php6|
^
‎php7|phtml|exe)$/i ‎/i => capital and small

‎developer Properly Blacklisting .php files ‎.php, PHP, or php5

‎Scenario 2 (Apache-Linux)
‎using the .pht extension. => apache understand ‎ HT file stores HTML page that includes a
P
‎bypass validation ‎it as php and execute it normally ‎PHP script.

‎same validation is done for asp pages

‎Scenario 2 (IIS-Windows)
‎IIS <= 7.5 have Both *.asa and *.cer mapped
‎bypass ‎using .cer & .asa extensions ‎to asp.dll, thus executing ASP code

‎here e regex is validates that the filename contains .jpg

‎ cenario 3 Validating Filename

S ‎ ut doesn’t validate that the filename
b
‎only (Whitelist) ‎ends with .jpg

i‎t's an php file but we put jpg to bypass

‎ ttacker could potentially upload a server-side code and
a
‎bypass ‎use file.jpg.php ‎regex filter
‎take full control over the server.

‎ ull character is a control character with

n ‎ HP treats the Null Bytes %00 as a
P
‎allow an attacker to overwrite critical files
‎the value zero. ‎terminator
‎impact ‎Scenario
‎ ttackers able to upload files to
a
‎ ere server check for the last extension
h
‎unanticipated locations ‎if it also vulnerable to Path Traversal ‎ cenario 4 Null Byte Injection if php
S
‎and the file name 1.jpg
‎extension blocked ( Just image )
‎File upload ‎ ut the file will be treated as .php due to
b
‎vulnerability happen when a web server allows users to upload files to its ‎termination of whatever after the Null Byte.
‎filesystem without validating things ‎bypass ‎shell.php%001.jpg or shell.php\x00.jpg
‎mean
t‎ hen server work with file remove .jpg and
‎it will be shell.php

‎our upload will be shell.php

‎when we try to upload file.php

‎application upload just image

t‎ he app refuse and tell us he just upload
‎image/png files
‎ cenario 5
S Vuln in Content Type (port
‎swigger)
‎intercept request when uploading file.php

‎ hange the content type of our upload to

c
‎bypass
‎image/png and send the requst

‎it may be success and upload file.php

‎if application allow php

‎file upload via path traversal

‎ e can upload file in the back folder
w
‎with ../exploit.php

‎ et any photo and use exiftool to put

g
‎payload in image
‎ dd payload in image if server allowed just
a 1
‎image
‎ nd then upload our php file and the
a
‎server see it as image