Level 2: blacklist extension check bypass

Let’s move on to the 2nd Level section. 

In this section, there will be some sort of protection mechanisms to prevent PHP file uploads, which means, we can’t upload dot PHP file extension.

Developers, sometimes, add a blacklist for certain file extensions, which is considered harmful. 

<?php
$files = @$_FILES["files"];
$info = new SplFileInfo($files["name"]);
$extension=($info->getExtension());
if ($files["name"] != '' && $extension !="php") {
$fullpath = $_REQUEST["path"] . $files["name"];
if (move_uploaded_file($files['tmp_name'], $fullpath)) {
echo "<a href='$fullpath'>OK-Click here!</a>";
}
}
echo '<form method=POST enctype="multipart/form-data" action=""><input type="file" name="files"><input type=submit value="Upload File"></form>';
?>

But, we can try to do this with other .php extensions. 

  • Supported PHP File Extension
    • .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module

  • Working in PHPv8: 
    • .php, .php4, .php5, .phtml, .module, .inc, .hphp, .ctp

As running the Apache2 service supports PHPv8, so rename the file to the .phtml file.

Now, we will upload this file and see whether it is uploaded successfully or not.

Let's try to access the file to see if PHP code execution is possible on the server. 

Once we click on "Upload File", open the uploaded link:

Look at that! Our PHP code ran on the server successfully.

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!