Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Bypass Mitigations
  • Bypass MIME Type Check
  • Bypass Image Validity Check

Was this helpful?

  1. Web App Hacking
  2. Server Attacks

Unrestricted File Upload

PreviousLoose ComparisonsNextInsecure Deserialization

Last updated 3 years ago

Was this helpful?

Unrestricted File Upload is a security vulnerability where an attacker can upload arbitrary files with attacker-controlled content, potentially to arbitrary locations.

Unrestricted file upload may be used to get:

  • Remote Code Execution

    • Especially in PHP and similar languages, since uploaded files may commonly be parsed by the server if navigated to it.

    • When the web application runs under root and you can use path traversal to specify the directory to upload to. In that case, upload a file to /etc/cron.d in the correct format and it will get executed.

  • Cross-Site Scripting, if you can add or overwrite a file that contains HTML

  • XML External Entities: If the website uses an insecure XML parser, then you might be able to exploit an XXE vulnerability by getting the insecure parser to parse a malicious XML file. In that case, the file upload vulnerability can be used to smuggle a malicious XML file onto the web server for exploitation.

Bypass Mitigations

Bypass MIME Type Check

If the MIME type is checked by the target application, then use Burp Suite to change the MIME type to the correct value.

Bypass Image Validity Check

If the image is checked for validity using an image library, then you can still produce a valid image that has malicious data in embedded in it. This is useful in PHP applications, for example. If you can upload a .php file with PHP code embedded in it, then that might lead to RCE.

This can be done using jhead.

First, clear the headers of an existing myfile.jpg file:

jhead -purejpg myfile.jpg

Add an EXIF comment and write PHP code there:

jhead -ce myfile.jpg

Example code: 

<?php echo "hi"; __halt_compiler();?>

Note: The __halt_compiler() prevents the image bytes from getting executed.

https://phocean.net/2013/09/29/file-upload-vulnerabilities-appending-php-code-to-an-image.htmlphocean.net