If You want To Become Defacer and website hacker Then you will face File Extension Checking In Websites When You Upload Php Web shells in a Websites , Website Don't Submit Your Web shell Because .php Extension File Can Contain Some Malicious Code That Can Delete Or Edit The Directory of webserver , So here Is The Post About How to Bypass File Extension Cheking
Note :- This Method Is Old And I think It Work Only Low Security Websites
First I would like to say there are probably a couple of ways you can bypass the check of extensions. You
would be able to find some PHP applications that wouldn't do sufficient checking of the filename/path and
allow you to upload a file extension of your choice anyway (the attacker.)
Regardless of whether or not you are allowed to upload a file of your choice (webshell.php for example), we
can actually very easily upload PHP code to the server.
How can we do this you ask? Remembering that PHP read files and interprets any code within, regardless of
extension. We can simply put the PHP code inside a file with an extension of an image file. If the actual
content of the file isn't checked, this will of course work.
cat imagefile.jpg
As you can see above is the contents of an image file I have opened with cat. As many of you know if you
open a file with a text editor that does not contain text, you will usually get non-human readable characters.
Come To The Main Topic . you could use an editor such as Notepad (Windows) or pico (Linux) to delete all the information inside
and simply save only your PHP code. The above coded of course is just an example, usually would be after
obtaining a PHP Shell on the server.
We can then simply upload this file to a vulnerable File Upload script, one which does not check the MIME
type of the file, simply the file extension.
