File Upload bypass¶
One common way to gain a shell is actually not really a vulnerability, but a feature! Often times it is possible to upload files to the webserver. This can be abused byt just uploading a reverse shell. The ability to upload shells are often hindered by filters that try to filter out files that could potentially be malicious. So that is what we have to bypass.
Rename Shell ¶
We can rename our shell and upload it as shell.php.jpg. It passed the filter and the file is executed as php.
php phtml, .php, .php3, .php4, .php5, and .inc
asp asp, .aspx
perl .pl, .pm, .cgi, .lib
jsp .jsp, .jspx, .jsw, .jsv, and .jspf
Coldfusion .cfm, .cfml, .cfc, .dbm
GIF89a; ¶
If they check the content. Basically you just add the text "GIF89a;" before you shell-code. So it would look something like this:
In image ¶
Exiftool is a great tool to view and manipulate exif-data. Then I had to rename the file
mv lo.jpg lo.php.jpg