Note(Datetime, Name) : 2025-04-22 , Web shell upload via obfuscated file extention

Metodelogy

1. Investigate the system to retrieve a list of features
2. Discribe the feature and explain how it works
3. List possible vulnerabilities and group by feature
4. Proof of concept for possible vulnerabilities
5. What is the impact of the vulnerabilities after the proof of concept ?

==========================================================================================================

feature:

1. file upload avatar -> /my-account

steps taken:

1. upload .php file -> rejected -> only support png and jpg
2. file input don't have filter file 
3. .pHp -> 403
4. .php.jpg -> 200
5. .php%00.jpg -> 200 -> file save as .php

vulnerabilities :

file upload vulnerabilities with .ph%00.jpg

Proof of concept:

1. capture request upload image by proxy
2. change filename parameter request with <filename>.php%00.jpg
3. file is save as <filename>.php
4. try request to  <host>/files/avatars/<filename>.php 
5. done php code is running

impact

- **Remote Code Execution (RCE)**: An attacker can upload and execute arbitrary PHP code on the server.
- This leads to full server compromise depending on the code's capabilities and server permissions.

takeaways

- Null bypte injection ('%00') can bypass poorly impleneted extention blacklist.
- Always validate and sanitize file uploads on the server side
- Relying solely on file extention filtering is **not sufficient** for secure file upload handling