The document outlines various scenarios where file upload vulnerabilities can occur if developers do not properly validate and sanitize file extensions and paths. Attackers can bypass restrictions by exploiting things like case sensitivity of extensions, null byte injection, modifying content types, or using alternate file extensions like .pht that are treated as PHP by servers. This could allow attackers to upload malicious server-side code or overwrite critical files.

1. ‎
File upload
‎
Scenario
‎
Blacklisting Dangerous files
‎
developer validates that the uploaded file
‎
such as exe , php , ... and block them
‎
if it doesn’t check the case sensitivity of file
‎
extension ‎
we can use PHP , PhP , EXE , ExE
‎
mitigation
‎
block all case sensitive
‎
^.*.(php|php1|php2|php3|php4|php5|php6|
‎
php7|phtml|exe)$/i ‎
/i => capital and small
‎
Scenario 2 (IIS-Windows)
‎
same validation is done for asp pages
‎
bypass ‎
using .cer & .asa extensions
‎IIS <= 7.5 have Both *.asa and *.cer mapped
‎
to asp.dll, thus executing ASP code
‎
Scenario 3 Validating Filename
‎
only (Whitelist)
‎
here e regex is validates that the filename contains .jpg
‎
but doesn’t validate that the filename
‎
ends with .jpg
‎
bypass ‎
use file.jpg.php
‎
it's an php file but we put jpg to bypass
‎
regex filter
‎
Scenario 4 Null Byte Injection if php
‎
extension blocked ( Just image )
‎
null character is a control character with
‎
the value zero.
‎
PHP treats the Null Bytes %00 as a
‎
terminator
‎
bypass ‎shell.php%001.jpg or shell.phpx00.jpg
‎
here server check for the last extension
‎
and the file name 1.jpg
‎
but the file will be treated as .php due to
‎
termination of whatever after the Null Byte.
‎
then server work with file remove .jpg and
‎
it will be shell.php
‎
Scenario 5 Vuln in Content Type (port
‎
swigger)
‎
application upload just image
‎
when we try to upload file.php
‎
the app refuse and tell us he just upload
‎
image/png files
‎
bypass
‎
intercept request when uploading file.php
‎
change the content type of our upload to
‎
image/png and send the requst
‎
it may be success and upload file.php
‎
bypass
‎
scenario 1 we can use old extention ‎
.pht - .htmls ......
‎
scenario 2 we can add a new configuration
‎
file ( .htaccess )
‎
upload a file .htaccess
‎change content type to text change
‎
content type to text
‎
add this as payload to allow execute php
‎
file with .lol extension ‎
AddType application/x-httpd-php .lol
‎
upload our php file as exploit.lol
‎
our upload will be shell.php
‎
file upload via path traversal
‎
if application allow php
‎
add payload in image if server allowed just
‎
image
‎
get any photo and use exiftool to put
‎
payload in image
1
‎
and then upload our php file and the
‎
server see it as image
‎
mean
‎vulnerability happen when a web server allows users to upload files to its
‎
filesystem without validating things
‎impact
‎
attacker could potentially upload a server-side code and
‎
take full control over the server.
‎
allow an attacker to overwrite critical files
‎
if it also vulnerable to Path Traversal
‎
attackers able to upload files to
‎
unanticipated locations
‎
Scenario 2 (Apache-Linux)
‎
developer Properly Blacklisting .php files ‎
.php, PHP, or php5
‎
bypass validation
‎using the .pht extension. => apache understand
‎
it as php and execute it normally
‎
PHT file stores HTML page that includes a
‎
PHP script.
‎
we can upload file in the back folder
‎
with ../exploit.php