Exploiting File Upload using Null byte

In my previous blog related to FILE upload, I already discussed some basic techniques to bypass whitelisting of file extensions. Now in this blog I am explaining other techniques here like MIME type, NULL byte injection.

MIME type:

Aim: Our aim is to upload PHP code and retrieve password in the file “.passwd”.

there are three tabs in the web application

· defaced

· upload

· pirate

From upload tab, I can upload an image .

Now to check the validation application is using I will try to upload a file which is not an image file.

· First I try to upload PHP shell i.e. “fupload.php”, we check corresponding request on burp.

In above screen shot please check yellow color highlighted portion. Which indicates application is checking content type of uploaded image. Without changing content type of uploaded the file, I forwarded the request. After forwarding the same request, i got “wrong file type” on User Interface.

Again I am trying to upload same file but this time I will changed Content-Type to “image/png” and then check is file upload possible or not. “fupload.php” contain PHP shell, which helps us to retrieve password. The code…