.jsp) to be executed as code. In this case, an attacker could potentially upload a server-side code file that functions as a webshell, effectively granting them full control over the server.
webshell.pHpto bypass file extension restriction on IIS. You can also achieve similar results using the following techniques:
xC0 xAEmay be translated to
x2Eif the filename parsed as a UTF-8 string, but then converted to ASCII characters before being used in a path.
.php, we can define a new file extension such as
.testand let the web server execute this new file extension as PHP file. We do this by uploading
.htaccessfor Apache or
test.txt::$DATArefer to the same data stream. That is, writing to
test.txt::$DATAis equivalent to writing to
test.txt. We can utilize this feature for upload bypass.
webshell.php%00.png. The parser will take this file as a legit
.pngimage and store it. If the filename is passed in as HTTP header, we can named the webshell
webshell.php .pngand change the whitespace to a null byte in Burp's hex editor.
uniqid(), it can potentially be brute-forced.
PUTrequests. If appropriate defenses aren't in place, this can provide an alternative means of uploading malicious files, even when an upload function isn't available via the web interface.
find -mmin n -name *.php /var/www/html/
/var/www/html/that are modified in the last
find . -name "*.php" -print0 | xargs -0 grep -rn 'shell_exec'
grep -i keyword "eval"
evalis found, print that line.