Exiftool cheat sheet1/9/2023 ![]() ![]() If that doesn't work, intercepting the request and changing the file extension can easily bypass client-side filters. If the upload function still works without it, simply turning off JavaScript in the browser can sometimes beat restrictions. ![]() Sometimes, the only thing preventing individual files from being uploaded is client-side JavaScript. This technique can be combined with any of the approaches to bypass blacklists or whitelists. Pic.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, comment: "", baseline, precision 8, 1920x840, components 3Īll we have to do now is add a PHP extension so it can be executed: ~# mv pic.jpg Now if we use the file command on our pic, we can see the code was successfully inserted: ~# file pic.jpg Then we can insert a simple command shell as a comment in our pic: ~# exiftool -Comment="" pic.jpg We can use exiftool to do this - if it is not installed already, install it with the package manager: ~# apt install exiftool We can insert a comment that contains valid PHP code that will be executed by the server when the image is processed. The next method to bypass file upload restrictions utilizes Exif data in an image. We can add GIF89a to the beginning of the shell to trick the upload: GIF89a Method 3: Exif Data Usually, if an upload function accepts images, it will accept GIF files as well. This technique can be used in tricky situations where the standard null byte injection won't work.Īnother way to beat whitelisting is to fool the server with file type headers. When uploading the file, intercept the request, go to the hex tab, and find the hex representation of the D character: Name the file - we'll replace the D character with a null character during the request. This can also be accomplished with Burp and modifying the hex request. Anything after the null character will be ignored when the file is saved, so injecting between a forbidden extension and an allowed extension can lead to a bypass: shell.php%00.jpg We can also use a null byte injection to bypass whitelist filters. That means we can trick the server into accepting a PHP file that also has a JPG extension tacked on the end: Some web servers, such as Apache, allow files with double extensions. While this type of prevention is better than blacklisting, it can still be easily bypassed. For example, an application that allows you to upload a profile picture might only take JPG, JPEG, or PNG files. Whitelisting is precisely the opposite of blacklisting, where the server accepts only specific extensions. phP Method 2: Bypassing WhitelistsĪnother type of prevention commonly encountered on the web is whitelisting. ![]() ![]() In some situations, simply changing the case of the extension can trick filters into accepting the file, like so. incĪnother popular extension for web shells is JSP, and here are some alternatives. In addition to the regular extensions, there are alternative extensions that can be used to get around blacklist filters.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |