Forensics
File Categorization
File Extension
There will be challenges that involve a file upload that checks the extension of the file based on some form of RegEx (e.g. with some substr()
, strpos()
,preg_match()
).
If the validator is just looking for the name to include
.pdf
then you can use double extensions, likereverse_shell.pdf.php
.You can use Burp Suite's Intruder on Sniper mode with a wordlist of extensions to check what extensions are allowed, e.g.
.php
,.php2
,.php3
,.php4
,.php5
,.php6
,.php7
,.phtm
,.phtml
,.phps
,.php-s
,.pht
,.phar
.
Media Type
Some servers will trust the Content-Type
specified by the user, e.g.:
You can also change the Content-Type
in Burp.
Structure
Magic Bytes
File starting with specific leading bytes will usually be read as that type of file by utilities.
A file might be corrupted. Use a hex editor xd filename.png|head
and you may be able to guess the actual filetype from the contents (e.g. IDAT
means PNG) and change the leading bytes to recover it.
If you have an encrypted file of a known type. If you XOR the encrypted file with the known magic bytes, you can potentially recover a key. Then, XOR the encrypted file with the key to decrypt and recover the image.
Binwalk
Field Guide
Windows
Last updated
Was this helpful?