Last updated 1 year ago
Discovery:
Identify File Upload Points
Windows IIS Server Black List File Upload Bypass:
Upload a file with the semi colon after the black listed extension, such as: shell.asp;.jpg
shell.asp;.jpg
Upload a directory with the .asp extension, then name the script within the directory with a permitted file extension, example: folder.asp\file.txt
folder.asp\file.txt
When serving PHP via IIS > < and . get converted back to ? * .
> < and .
? * .
Use characters that can replace files, example << can replace web.config
<<
web.config
Try using spaces or dots after characters, example: foo.asp..... .. . . .
foo.asp..... .. . . .
Attempt to disclose information in an error message by uploading a file with forbidden characters within the filename such as: | > < * ?"
| > < * ?"
Apache Windows Black List Bypass:
Windows 8.3 feature allows short names to replace existing files, example: web.config could be replaced by web~config.con or .htaccess could be replaced by HTACCE~1
Attempt to upload a . file, if the upload function root is /www/uploads/ it will create a file called uploads in the directory above.
/www/uploads/
General Black List Bypass:
Identify what characters are being filtered – use burp intruder to assess the insert points with a meta character list
Ensure your list contains uncommon file extension types such as .php5,.php3,.phtml
.php5
.php3
.phtml
Test for flaws in the protection mechanism, if it’s stripping file names can this be abused? Example: shell.p.phpp if the app strips .php it could rename the extension back to .php
shell.p.phpp
Try a null byte %00 at various places within the file name, example: shell.php%00.jpg, shell.php%0delete0.jpg – observe how the application responds
%00
shell.php%00.jpg
shell.php%0delete0.jpg
Double extensions: if the application is stripping or renaming the extension – What happens if you give it two extensions? Example: shell.php.php or 4 extentions shell.txt.jpg.png.asp
shell.php.php
shell.txt.jpg.png.asp
Try long file names, example, supermassivelongfileeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeename.php apply other filter bypass techniques used in conjunction with long file names
supermassivelongfileeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeename.php
Try test.asp\, test.asp.\
test.asp\
test.asp.\
Can you upload the flash XSS payload, that is named as a .jpg
Try the previous technique but use PDF or Silverlight instead
Same again but attempt to abuse crossdomain.xml or clientaccesspolicy.xml files
Try using encoding to bypass blacklist filters, try URL, HTML, Unicode and double encoding
Combine all of the above bypass techniques
Try using an alternative HTTP Verb, try using POST instead of PUT or GET (or vice versa), you can enumerate the options using Burp Intruder and the HTTP Verbs payload list
Additionally, ensure all input points are fuzzed for various input validation failures such as, XSS, Command Injection, XPath, SQLi, LDAPi, SSJI
Bypassing File Size Upload Checks:
Use EXIF image file technique
Inject shell directly after image data within Burp request
Techniques for Executing Uploaded Shells:
Apache MIME Types: Attempt to upload a renamed file e.g. shell.php.jpg or shell.asp;.jpg and assess if the web server process the file by exploiting weak Apache MIME types
shell.php.jpg
Null Byte: Try a null byte %00 at the end of the file name or within such as: shell.php%0delete0.jpg– observe how the application responds
Can you upload dot files, if so can you upload a .htaccess file an abuse AddType: AddType application/x-httpd-php .foo
AddType application/x-httpd-php .foo
Be mindful of any processing to upload files – Example: Could command injection be used within a file name that will later be processed by a backend backup script?
Be mindful of any processing to upload files – If compressed files are permitted, does the application extract them or vice versa?