.php
and .jsp
) to be executed as code. In this case, an attacker could potentially upload a server-side code file that functions as a webshell, effectively granting them full control over the server.Content-Type
response header may provide clues as to what kind of file the server thinks it has served. If this header hasn't been explicitly set by the application code, it normally contains the result of the file extension/MIME type mapping.test.txt
and test.tXt
are equivalent:webshell.php
to webshell.pHp
to bypass file extension restriction on IIS. You can also achieve similar results using the following techniques:exploit.php.jpg
exploit.php.
exploit%2Ephp
exploit.asp;.jpg
or exploit.asp%00.jpg
xC0 x2E
, xC4 xAE
or xC0 xAE
may be translated to x2E
if the filename parsed as a UTF-8 string, but then converted to ASCII characters before being used in a path..php
, we can define a new file extension such as .test
and let the web server execute this new file extension as PHP file. We do this by uploading .htaccess
for Apache or web.config
for IIS.test.txt
and test.txt::$DATA
refer to the same data stream. That is, writing to test.txt::$DATA
is equivalent to writing to test.txt
. We can utilize this feature for upload bypass.webshell.php%00.png
. The parser will take this file as a legit .png
image and store it. If the filename is passed in as HTTP header, we can named the webshell webshell.php .png
and change the whitespace to a null byte in Burp's hex editor.uniqid()
, it can potentially be brute-forced.PUT
requests. If appropriate defenses aren't in place, this can provide an alternative means of uploading malicious files, even when an upload function isn't available via the web interface.OPTIONS
requests to different endpoints to test for any that advertise support for the PUT
method.find -mmin n -name *.php /var/www/html/
/var/www/html/
that are modified in the last n
minutes.find . -name "*.php" -print0 | xargs -0 grep -rn 'shell_exec'
shell_exec
grep -i keyword "eval"
eval
is found, print that line.