Upload_Bypass_v3.0.3-dev
What's Changed
Updates of version 3.0.3:
- Added 2 new modules:
-
Stripping Extension:
Severs might strip forbidden extensions, for example .php will be stripped from the filename. Therefore, the program will try to upload filename.p.phphp which results in filename.php -
Discrepancy:
URL encoding (or double URL encoding) for dots. If the value isn't decoded when validating the file extension, but is later decoded server-side, this can allow to upload malicious files that would otherwise be blocked. Ex: exploit%2Ephp (Front-end) = exploit.php (Back-end)
- Code is fixed and optimized.
- Fixed rate limiting issue
- Fixed a bug in the code and fixed the trailing dot in the file extensions.
Full Changelog: v3.0.2#dev...v3.0.3#dev