FILE UPLOAD ATTACKS: Blacklist Filters

Hello everyone!
Faced issue when can’t pass this task. What was done:

  • Created file for injection to know where is page:
<?php echo 'Backdoor is here!!!'; ?>
  • Intercepted request with Burp → go to Intruder. Tried all php extentions: php, phps, php3, php4, php5, phtml, phtm. Only php, phps, php5 and phtml are blocked on the server. Tried to use others - file uploads, but page doesn’t show my output → file is there but doesn’t execute on server

  • Tried Intruder with other methods: pHp, php%00, php\x00 - doesn’t work and I don’t know how to send requests for files with %00 extention, etc…

Do you have any hints/ideas what to try and what I’m doing wrong?

2 Likes

Hope you got the answer by now… Just incase you haven’t try and make use of the cheat sheet resources.

PHP Extensions

Make use of this extension list as your intruder payload. Also make sure to untick URL encoding. After uploading you can use intruder again to look for the files you have uploaded. See which extension gives you back the result you were expecting.

Hope this is helpful…
Happy Hacking!!!

3 Likes

Thank you for a good tip!
My error was in not using this list + I haven’t used Intruder during perform of GET request. Now found working extention, thank you :slight_smile:

1 Like

hey i am curious what you mean by “intruder with GET request” because i am only seeing a POST being able to be run the attack on. Also i am having trouble, i used the list he said and i am still not seeing them reflected in the server.

Hi!
We’re using POST request to upload our file, but to exploit it, we have to use GET request with path to our file.
Please describe how you’re using Burp, have you disabled URL encoding of request, etc
For me, the biggest problem was there :slight_smile: Php extention can be easily found from that list above or you can create that list with additional characters as in my first message in the thread

Hi,

I have identified the extension, which are not blocked, but the PHP code is not executing, could please give me some hint.

1 Like

I’m confused. I fuzzed with ffuf and Burp and I tired different extensions

Summary

php4,php2,php.jpg

I was able to upload them but they couldn’t be executed.

Summary

shell1.php.jpg?cmd=id” cannot be displayed because it contains errors.

I am also getting the same issue, after fuzz the extensions, so many successful extensions is getting uploaded but when we call the file, the file is downloading instead of executing PHP code, I tried with PHP hello world code also.

<?php echo "Hello world" ?>

The file is uploading but not executing the PHP code, I tried so many times from so many days but still I am getting same issue.

Same issue here. When I upload the file with a good extension, the response doesn’t execute php code, only show the php code.



Can anyone give me a hint? upload icon is always greyed out even when using extensions that shouldnt be blocked like pgif

I don’t see any way to do that as there aren’t any GET requests that allow for you to point to a file. I don’t see how you’re able to do that in this situation. When you upload a file, it generates a POST request only. Where are you getting your GET request from?

The easiest way to do this is that once you have the responses that give a length of 193, just use the browser to constantly change to one of those extensions. Keep adjusting the extension until you hit the right one. There is one that doesn’t print the command on the page.

1 Like

For some reason I’m able to upload a lot of different extensions, but when I go to the directory and try to run any command with “?cmd=” I just don’t get any output back.

Even if your files (PHP types in this case) gets uploaded, there is still cases where it won’t get executed. So once you’ve worked on bypassing the upload restrictions, you’ve got to work on fuzzing for finding the extensions that actually execute the file.

1 Like

Check with a custom filename, shell is blacklisted… then check the extension…

idk why you have to upload the files with burp and not directly. Doing it while fuzzing and changing the content to the shell works. Anyone know why this is, why u have to use burp?

Hello guys, i’ve just done this chapter. I encoutered the same problem, among the extensions that return 193 there is one that you can use and the server will execute php. Don’t loose time on trying different payload with an exclusive extension, just use the payload mentionned in the chapter and try each extension, you’ll find the correct one in no time

Hi i got the correct extension and file successfully got uploaded and i can execute hello world program in php also but unable to read flag.txt it showing there in no such file like flag,txt restarted machine multiple time it has been 3 days i am stuck can anyone help please attaching screenshot for refrence
shell4