We can use exiftool to do this - if it is not installed already, install it with the package manager: ~# apt install exiftool
#HOW TO USE EXIFTOOL CODE#
We can insert a comment that contains valid PHP code that will be executed by the server when the image is processed. The next method to bypass file upload restrictions utilizes Exif data in an image.
We can add GIF89a to the beginning of the shell to trick the upload: GIF89a Method 3: Exif Data Usually, if an upload function accepts images, it will accept GIF files as well. This technique can be used in tricky situations where the standard null byte injection won't work.Īnother way to beat whitelisting is to fool the server with file type headers. When uploading the file, intercept the request, go to the hex tab, and find the hex representation of the D character: Name the file - we'll replace the D character with a null character during the request. This can also be accomplished with Burp and modifying the hex request. Anything after the null character will be ignored when the file is saved, so injecting between a forbidden extension and an allowed extension can lead to a bypass: shell.php%00.jpg We can also use a null byte injection to bypass whitelist filters. That means we can trick the server into accepting a PHP file that also has a JPG extension tacked on the end: Some web servers, such as Apache, allow files with double extensions. While this type of prevention is better than blacklisting, it can still be easily bypassed. For example, an application that allows you to upload a profile picture might only take JPG, JPEG, or PNG files. Whitelisting is precisely the opposite of blacklisting, where the server accepts only specific extensions. phP Method 2: Bypassing WhitelistsĪnother type of prevention commonly encountered on the web is whitelisting. In some situations, simply changing the case of the extension can trick filters into accepting the file, like so. incĪnother popular extension for web shells is JSP, and here are some alternatives. In addition to the regular extensions, there are alternative extensions that can be used to get around blacklist filters.
#HOW TO USE EXIFTOOL HOW TO#
Don't Miss: How to Compromise a Web Server & Upload Files to Check for Privilege Escalation.At first glance, it might seem like an optimal solution to prevent bad extensions, often executables, from being uploaded, but it is trivial to bypass. Blacklisting is a type of protection where certain strings of data, in this case, specific extensions, are explicitly prohibited from being sent to the server. The first method we'll explore is how to bypass blacklisting.
0 kommentar(er)
