Forensics
File Categorization
File Extension
There will be challenges that involve a file upload that checks the extension of the file based on some form of RegEx (e.g. with some substr() , strpos() ,preg_match()).
If the validator is just looking for the name to include
.pdfthen you can use double extensions, likereverse_shell.pdf.php.You can use Burp Suite's Intruder on Sniper mode with a wordlist of extensions to check what extensions are allowed, e.g.
.php,.php2,.php3,.php4,.php5,.php6,.php7,.phtm,.phtml,.phps,.php-s,.pht,.phar.
Media Type
Some servers will trust the Content-Type specified by the user, e.g.:
<?php
$mime = $_SERVER["CONTENT_TYPE"];
if (strcasecmp($mime, "image/png") == 0){
echo "photo"
} else {
echo "not a photo"
}$ curl 127.0.0.1:80/upload.php
not a photo%
$ curl 127.0.0.1:80/upload.php -H "Content-Type: image/png"
photo%You can also change the Content-Type in Burp.
Structure
If the server is checking the structure of the file, consider Polyglot files (link). Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a GIFAR is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc. Most famous one is PHAR-JPG (link).
Magic Bytes
File starting with specific leading bytes will usually be read as that type of file by utilities.
A file might be corrupted. Use a hex editor xd filename.png|head and you may be able to guess the actual filetype from the contents (e.g. IDAT means PNG) and change the leading bytes to recover it.
Known-plaintext attack (link)
If you have an encrypted file of a known type. If you XOR the encrypted file with the known magic bytes, you can potentially recover a key. Then, XOR the encrypted file with the key to decrypt and recover the image.
Binwalk
$ binwalk --dd='.*' <file to extract>Field Guide
Windows
Last updated
Was this helpful?