I’m working on making a box to test file upload vulnerabilities and understand what causes them. I made two versions of this box, the first allows non restricted uploads. This was easy to exploit because any reverse shell can be uploaded, browsed to, and executed - I used php in this example with no issues.
In the other situation, I turned on extension whitelisting. At a very basic level it says you can only upload jpgs and pngs (does no mime checks). In the past I have bypassed this by adding something like .php.jpg for example.
What’s weird is when I do this, it bypasses the upload restriction, but when I browse to the file it shows a page with a black square but does not execute. However, if I log into the server and run php script.php.jpg against the file I uploaded it executes as expected and I get a reverse shell.
Any idea what would cause the second file to not execute? Changes to PHP or Apache? I’m using Ubuntu 18.04 and LAMP (via apt-get install lamp-server^).
Thanks in advance for any knowledge that can be shared.