Day 43/100 Hack and Improvement

1 minute read

Day 43 comes with a resource for Self XSS to CSRF and Unrestricted File Uploads Capabilities!

From Self XSS to CSRF

From Rajesh Ranjan. Here is the link of the article.

Unrestricted File Uploads Capabilities

From Sam (CoffeeJunkie). One of my favorite vulnerabilities is Unrestricted File Upload due to all the countless capabilities that are possible to get from this vulnerability as long is doable. For this explanation, I’ll keep it simple and on the go.

Couple Unrestricted File Upload Bypasses Part 1

  1. Always bruteforce extensions that are allowed: Usually in some websites it says that certain files are allowed, but by using intruder from BurpSuite and a extensions wordlist gathered from Seclists, you might find more extensions available to upload.

  2. Use nullbytes to truncate the file uploads: Some websites allow jpg, png, gif, and pdf files at the time to upload the file, but it’s possible to upload a php, html or other extension file by truncating the uploading function by using null bytes (%00). Therefore, it’s possible to upload the file as shell.php%00.png, and might be uploaded in the server as shell.php.

  3. Add small php bytes in pictures: Is the server analyzing and validating the files? if not, you might want to use small php bytes in jpg pictures. In that case I strongly recommend the following tool called php-jpeg-injector, and the following file upload bypass writeup.

  4. RCE might not be possible but SSRF could be: Sometimes RCE cannot be achieved, neither stored XSS, but how about SSRF from uploading files? Well, if there is the parameter type="file" change it to type="url" and submit a URL.

There are COUNTLESS ways to bypass and extend this attack which I’d love to talk in the following days, but by know, the 4 bypasses and capabilities from above are just for today :)

Leave a comment