5

So I found a file uploader on example.com. The file uploader accepts every file extension and the file is uploaded inside the directory

/temp/random-numeric-id.php

I tried to upload a php file and it got uploaded, however when I access that file, the content of the file is read as html comment. For example, I uploaded a file with content <?php print(123); ?> and when I visit example.com/temp/111111111.php I see a blank page because my php code has became the following:

<!--?php print(123); -->

Is this some kind of protection mechanism? How can I bypass this to execute my print functionality with php on that server?

Improve this question
7
  • 2
    Is it a PHP site? Is it set up to even execute PHP code? Commented Nov 28, 2019 at 22:26
  • @schroeder, It's an ajax based website so i think it's allowed to execute php code. Is it possible that they disabled the execution of PHP inside the temp directory? Every request from that website is sent with ajax and with the X-Requested-With: XMLHttpRequest header. It also supports json and html but no php request in sight. Commented Nov 28, 2019 at 22:30
  • 1
    "It's an ajax based website so i think it's allowed to execute php code": AJAX has nothing to do with php. To your comment below, <% is also used by jsp and very probably other templating languages. Commented Nov 29, 2019 at 0:07
  • @msanford, I red that sually AJAX is used with php. Thanks for the info. Commented Nov 29, 2019 at 0:19
  • 1
    The server is Apache based, could it be that they didn't install php on it? Commented Nov 29, 2019 at 0:27

2 Answers 2

Reset to default
5

This is... strange. My guess is that you are right in that this is some sort of protection mechanism, but it doesn't look like a very stable one. A better approach would be to block files with .php or similar extensions, and on top of that turn off PHP execution in that folder.

So can this be exploited, and if so, how? I am not sure, but here are a few things to try:

  • Different PHP tags (<?, <?=, <%, <%=, <script language="php">).
  • Insert whitespace and try different cases, e.g. <?PHp or <? pHp. (Not sure if the PHP engine will recognise this, though.)
  • Leave out the closing tag, try nesting tags inside tags, and so on.
  • Maybe it only does the replacement for PHP files? Then you could use .php5 or .phtml or similar instead.

To figure out a bypass (if there is one), you need to guess how the system works and test your theories. E.g. if you suspect it simply replace all < with <!--, send in a lone < and see what happends! Don't be afraid to experiment. Trial and error is your friend.

Improve this answer
9
  • 1
    Thanks for the advices. So it seems that < is accepted as it accepts html tags but when i use <? it's changed to <!--?, same for <?= - I thought that <% was used for ASP filetype only. How can i use it with php code? <% is accepted thou. also, <script language="php"> is accepted While < pHp is considered as text/html and printed as text I already tried with phtml (text) - php3, php4 and php5 gives the same result, the one i already mentioned. What other could i try? Commented Nov 28, 2019 at 23:16
  • It seems that it reads php and html files as Content-Type: text/html; charset=UTF-8 regardless of their extension... I think i should try with other server-side languages, which should i try to use? Commented Nov 28, 2019 at 23:29
  • < pHp will not be recognized. Commented Nov 29, 2019 at 0:04
  • The server is Apache based, could it be that they didn't install php on it? Commented Nov 29, 2019 at 0:27
  • 1
    @Pong it is entirely possible that PHP is not installed, or the web server is configured to not run PHP files in this directory. I'm either case, this simply won't work. However it is also possible that PHP is installed and will run if you can just bypass this filter. Finding a bypass is the tricky part... Commented Nov 29, 2019 at 1:37
4

Have you tried using a directive based file upload such a self contained htaccess she'll like my htshells project: https://github.com/wireghoul/htshells

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.