Bypassed! and uploaded a sweet reverse shell

Hey, Today I will showcase how I found a file upload vulnerability which I bypassed and popped a reverse shell .

Ajay Sharma
InfoSec Write-ups
Published in
2 min readSep 5, 2021

Initially being a private program, lets call it target.com. They had a functionality to upload a profile pic which only accepts jpg, png, jpeg images.

Starting with I tried uploading a php-reverse shell file which you can get from pentestmonkey

Tricks I tried to upload a reverse-shell but miserably failed :

  • Just uploading .php file instead of jpg file.
  • Trying double extensions to bypass and upload php file pic.jpg.php or pic.php.jpg
  • Changing Content-type filtering i.e., changing Content-Type: txt/php to image/jpg
  • Tried Case sensitives — pic.PhP also tried pic.php5, pHP5.
  • Tried special characters to bypass pic.php%00 , pic.php%0a, pic.php%00

All the above scenarios didn’t worked at all, obvious they are the basic security remediations companies keep it.

Now lets try something new, Have you heard of magic numbers ?

Basically every file extension has its own magic number, and I took a php-reverse-shell.php file and using hex editor I added the magic number of jpeg i.e., FF D8 FF E0 at start of the php file using the hex tool.

I just uploaded the file and it worked!

Then just by clicking on view profile got me an access to the reverse shell.

Reason behind this worked is because,

“ the image filters are looking at the ‘Magic Number’ at the beginning of a file to determine if it is a valid image and that is where we just bypassed. ”

Reported, Rewarded — $*****

Hope you like this sweet and short story of file upload vulnerability I have found.

If you have questions and anything about the post you want to ask me, please contact me via Twitter(security_donut) My DMs are always open.

See you soon with next article!

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Ajay Sharma

23 | Hacker | Bug Bounty Hunter | Traveller | Acknowledged by Google,Apple & 20+ companies

Responses (5)

What are your thoughts?