Return to Answer

shell.php.jpg should be treated as a .jpg file

You're exploring DVWA, so not every should be means is. If I had to guess, the upload script properly checks the extension of the file and allows it, but the webserver doesn't check it the same way and allows execution.

You can learn more by exploring web server's (nginx or apache) config files, look for a block that performs handover to php parser for request processing.

Clarification:

But why can I execute this file and not a shell.jpg file if the file extension stayed the same and the .php part is just part of the file name?

The extension is just letters in a file name, they do not determine how the file is handled by the web server, web server determines it. One of the common algorithms is:

If the requested file name ends with “php”
    Invoke php to handle the request
Else
    Serve the requested file like any other static file
End

I’m guessing that in your case requested file name ends with “php” is changed to requested file name contains “.php”. You can find this rule in the configuration file of the web server that’s processing your requests and find out for yourself.

Update:

This is the expected and documented behaviour of apache. I'm a little bit surprised, but this is the world we live in. Goddamnit.

In configuration file /etc/apache2/mods-enabled/php.conf line AddHandler php5-cgi .php registers handler for .php files. Everything is OK, unless you read what AddHandler does.

The extension argument is case-insensitive and can be specified with or without a leading dot. Filenames may have multiple extensions and the extension argument will be compared against each of them.

Sooo... Yeah. Of course filenames may have multiple extensions. This is the only logical default.

If you're a weirdo expecting that the file would have only one extension, apache has the answer for you:

If you would prefer only the last dot-separated part of the filename to be mapped to a particular piece of meta-data, then do not use the Add directives.*

They helpfully suggest the solution to your weird wish of one-extention-ness – just use regex. So in order to execute only .php files as php you need to replace AddHandler directive in php.conf with

<FilesMatch "[^.]+\.php$">
  SetHandler php5-cgi
</FilesMatch>

In conclusion:

• common sense doesn't exist in software
• never trust any data provided by user. Store filenames in the database and rename them after upload, or treat filenames like a live bomb.

shell.php.jpg should be treated as a .jpg file

You're exploring DVWA, so not every should be means is. If I had to guess, the upload script properly checks the extension of the file and allows it, but the webserver doesn't check it the same way and allows execution.

You can learn more by exploring web server's (nginx or apache) config files, look for a block that performs handover to php parser for request processing.

Clarification:

But why can I execute this file and not a shell.jpg file if the file extension stayed the same and the .php part is just part of the file name?

The extension is just letters in a file name, they do not determine how the file is handled by the web server, web server determines it. One of the common algorithms is:

If the requested file name ends with “php”
    Invoke php to handle the request
Else
    Serve the requested file like any other static file
End

I’m guessing that in your case requested file name ends with “php” is changed to requested file name contains “.php”. You can find this rule in the configuration file of the web server that’s processing your requests and find out for yourself.

Update:

This is the expected and documented behaviour of apache. I'm a little bit surprised, but this is the world we live in. Goddamnit.

In configuration file /etc/apache2/mods-enabled/php.conf line AddHandler php5-cgi .php registers handler for .php files. Everything is OK, unless you read what AddHandler does.

The extension argument is case-insensitive and can be specified with or without a leading dot. Filenames may have multiple extensions and the extension argument will be compared against each of them.

Sooo... Yeah. Of course filenames may have multiple extensions. This is the only logical default.

If you're a weirdo expecting that the file would have only one extension, apache has the answer for you:

If you would prefer only the last dot-separated part of the filename to be mapped to a particular piece of meta-data, then do not use the Add directives.*

They helpfully suggest the solution to your weird wish of one-extention-ness – just use regex. So in order to execute only .php files as php you need to replace AddHandler directive in php.conf with

<FilesMatch "[^.]+\.php$">
  SetHandler php5-cgi
</FilesMatch>

In conclusion:

• common sense doesn't exist in software
• never trust any data provided by user
• store original filenames in the database if needed and rename them after upload 
• treat filenames like a live bomb

shell.php.jpg should be treated as a .jpg file

You're exploring DVWA, so not every should be means is. If I had to guess, the upload script properly checks the extension of the file and allows it, but the webserver doesn't check it the same way and allows execution.

You can learn more by exploring web server's (nginx or apache) config files, look for a block that performs handover to php parser for request processing.

Clarification:

But why can I execute this file and not a shell.jpg file if the file extension stayed the same and the .php part is just part of the file name?

The extension is just letters in a file name, they do not determine how the file is handled by the web server, web server determines it. One of the common algorithms is:

If the requested file name ends with “php”
    Invoke php to handle the request
Else
    Serve the requested file like any other static file
End

I’m guessing that in your case requested file name ends with “php” is changed to requested file name contains “.php”. You can find this rule in the configuration file of the web server that’s processing your requests and find out for yourself.

shell.php.jpg should be treated as a .jpg file

You're exploring DVWA, so not every should be means is. If I had to guess, the upload script properly checks the extension of the file and allows it, but the webserver doesn't check it the same way and allows execution.

You can learn more by exploring web server's (nginx or apache) config files, look for a block that performs handover to php parser for request processing.

Clarification:

But why can I execute this file and not a shell.jpg file if the file extension stayed the same and the .php part is just part of the file name?

The extension is just letters in a file name, they do not determine how the file is handled by the web server, web server determines it. One of the common algorithms is:

If the requested file name ends with “php”
    Invoke php to handle the request
Else
    Serve the requested file like any other static file
End

I’m guessing that in your case requested file name ends with “php” is changed to requested file name contains “.php”. You can find this rule in the configuration file of the web server that’s processing your requests and find out for yourself.

Update:

This is the expected and documented behaviour of apache. I'm a little bit surprised, but this is the world we live in. Goddamnit.

In configuration file /etc/apache2/mods-enabled/php.conf line AddHandler php5-cgi .php registers handler for .php files. Everything is OK, unless you read what AddHandler does.

The extension argument is case-insensitive and can be specified with or without a leading dot. Filenames may have multiple extensions and the extension argument will be compared against each of them.

Sooo... Yeah. Of course filenames may have multiple extensions. This is the only logical default.

If you're a weirdo expecting that the file would have only one extension, apache has the answer for you:

If you would prefer only the last dot-separated part of the filename to be mapped to a particular piece of meta-data, then do not use the Add directives.*

They helpfully suggest the solution to your weird wish of one-extention-ness – just use regex. So in order to execute only .php files as php you need to replace AddHandler directive in php.conf with

<FilesMatch "[^.]+\.php$">
  SetHandler php5-cgi
</FilesMatch>

In conclusion:

• common sense doesn't exist in software
• never trust any data provided by user. Store filenames in the database and rename them after upload, or treat filenames like a live bomb.

shell.php.jpg should be treated as a .jpg file

You're exploring DVWA, so not every should be means is. If I had to guess, the upload script properly checks the extension of the file and allows it, but the webserver doesn't check it the same way and allows execution.

You can learn more by exploring web server's (nginx or apache) config files, look for a block that performs handover to php parser for request processing.

shell.php.jpg should be treated as a .jpg file

You're exploring DVWA, so not every should be means is. If I had to guess, the upload script properly checks the extension of the file and allows it, but the webserver doesn't check it the same way and allows execution.

You can learn more by exploring web server's (nginx or apache) config files, look for a block that performs handover to php parser for request processing.

Clarification:

But why can I execute this file and not a shell.jpg file if the file extension stayed the same and the .php part is just part of the file name?

The extension is just letters in a file name, they do not determine how the file is handled by the web server, web server determines it. One of the common algorithms is:

If the requested file name ends with “php”
    Invoke php to handle the request
Else
    Serve the requested file like any other static file
End

I’m guessing that in your case requested file name ends with “php” is changed to requested file name contains “.php”. You can find this rule in the configuration file of the web server that’s processing your requests and find out for yourself.