Day 43 comes with a resource for Self XSS to CSRF and Unrestricted File Uploads Capabilities!
From Self XSS to CSRF
Unrestricted File Uploads Capabilities
From Sam (CoffeeJunkie). One of my favorite vulnerabilities is Unrestricted File Upload due to all the countless capabilities that are possible to get from this vulnerability as long is doable. For this explanation, I’ll keep it simple and on the go.
Couple Unrestricted File Upload Bypasses Part 1
Always bruteforce extensions that are allowed: Usually in some websites it says that certain files are allowed, but by using intruder from BurpSuite and a extensions wordlist gathered from Seclists, you might find more extensions available to upload.
Use nullbytes to truncate the file uploads: Some websites allow
jpg, png, gif, and pdffiles at the time to upload the file, but it’s possible to upload a
php, html or other extensionfile by truncating the uploading function by using null bytes
(%00). Therefore, it’s possible to upload the file as
shell.php%00.png, and might be uploaded in the server as
Add small php bytes in pictures: Is the server analyzing and validating the files? if not, you might want to use small php bytes in
jpgpictures. In that case I strongly recommend the following tool called php-jpeg-injector, and the following file upload bypass writeup.
RCE might not be possible but SSRF could be: Sometimes RCE cannot be achieved, neither stored XSS, but how about SSRF from uploading files? Well, if there is the parameter
type="file"change it to
type="url"and submit a URL.
There are COUNTLESS ways to bypass and extend this attack which I’d love to talk in the following days, but by know, the 4 bypasses and capabilities from above are just for today :)