# File Upload Bypass Checklist ### File Upload Testing Check List **Discovery:** * [ ] Identify File Upload Points \ **Windows IIS Server Black List File Upload Bypass:** * [ ] Upload a file with the semi colon after the black listed extension, such as: **`shell.asp;.jpg`** * [ ] Upload a directory with the .asp extension, then name the script within the directory with a permitted file extension, example: **`folder.asp\file.txt`** * [ ] When serving PHP via IIS `> < and .` get converted back to `? * .` * [ ] Use characters that can replace files, example **`<<`**** ****can replace**** ****`web.config`** * [ ] Try using spaces or dots after characters, example: **`foo.asp..... .. . . .`** * [ ] Attempt to disclose information in an error message by uploading a file with forbidden characters within the filename such as: **`| > < * ?"`** **Apache Windows Black List Bypass:** * [ ] Windows 8.3 feature allows short names to replace existing files, example: web.config could be replaced by web\~config.con or .htaccess could be replaced by HTACCE\~1 * [ ] Attempt to upload a . file, if the upload function root is `/www/uploads/` it will create a file called uploads in the directory above. **General Black List Bypass:** * [ ] Identify what characters are being filtered – use burp intruder to assess the insert points with a meta character list * [ ] Ensure your list contains uncommon file extension types such as **`.php5`****,****`.php3`****,****`.phtml`** * [ ] Test for flaws in the protection mechanism, if it’s stripping file names can this be abused? Example: **`shell.p.phpp`** if the app strips .php it could rename the extension back to .php * [ ] Try a null byte `%00` at various places within the file name, example: **`shell.php%00.jpg`**, **`shell.php%0delete0.jpg`** – observe how the application responds * [ ] Double extensions: if the application is stripping or renaming the extension – What happens if you give it two extensions? Example: **`shell.php.php`** or 4 extentions **`shell.txt.jpg.png.asp`** * [ ] Try long file names, example, **`supermassivelongfileeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeename.php`** apply other filter bypass techniques used in conjunction with long file names * [ ] Try **`test.asp\`**, **`test.asp.\`** * [ ] Can you upload the flash XSS payload, that is named as a .jpg * [ ] Try the previous technique but use PDF or Silverlight instead * [ ] Same again but attempt to abuse crossdomain.xml or clientaccesspolicy.xml files * [ ] Try using **encoding** to bypass blacklist filters, try URL, HTML, Unicode and double encoding * [ ] Combine all of the above bypass techniques * [ ] Try using an alternative HTTP Verb, try using POST instead of **PUT** or GET (or vice versa), you can enumerate the options using Burp Intruder and the HTTP Verbs payload list * [ ] Additionally, ensure all input points are fuzzed for various input validation failures such as, XSS, Command Injection, XPath, SQLi, LDAPi, SSJI **Bypassing File Size Upload Checks:** * [ ] Use EXIF image file technique * [ ] Inject shell directly after image data within Burp request **Techniques for Executing Uploaded Shells:** * [ ] Apache MIME Types: Attempt to upload a renamed file e.g. **`shell.php.jpg`** or **`shell.asp;.jpg`** and assess if the web server process the file by exploiting weak Apache MIME types * [ ] Null Byte: Try a null byte **`%00`** at the end of the file name or within such as: **`shell.php%0delete0.jpg`**– observe how the application responds * [ ] Can you upload dot files, if so can you upload a .htaccess file an abuse AddType: `AddType application/x-httpd-php .foo` * [ ] Be mindful of any processing to upload files – Example: Could command injection be used within a file name that will later be processed by a backend backup script? * [ ] Be mindful of any processing to upload files – If compressed files are permitted, does the application extract them or vice versa? ***