Exploiting File Upload using Null byte

Gupta Bless
4 min readAug 1, 2020

In my previous blog related to FILE upload, I already discussed some basic techniques to bypass whitelisting of file extensions. Now in this blog I am explaining other techniques here like MIME type, NULL byte injection.

MIME type:

Aim: Our aim is to upload PHP code and retrieve password in the file “.passwd”.

there are three tabs in the web application

· defaced

· upload

· pirate

From upload tab, I can upload an image .

Now to check the validation application is using I will try to upload a file which is not an image file.

· First I try to upload PHP shell i.e. “fupload.php”, we check corresponding request on burp.

In above screen shot please check yellow color highlighted portion. Which indicates application is checking content type of uploaded image. Without changing content type of uploaded the file, I forwarded the request. After forwarding the same request, i got “wrong file type” on User Interface.

Again I am trying to upload same file but this time I will changed Content-Type to “image/png” and then check is file upload possible or not. “fupload.php” contain PHP shell, which helps us to retrieve password. The code inside the “fupload.php” shown below:

Intercepting the request and updating its content type, request will look like:

After forwarding the request, I checked on UI where it shows me “File uploaded” message.

Now using LFI technique in the URL “/fUpload.php” where file, is uploaded we got the password (described in my previous blog of FLI bypassing techniques)

So updated URL:

By implementing LFI technique on stored URL, I got the Credentials by uploading a PHP shell.

--

--

Gupta Bless

Security enthusiast working to secure web for others.