File Upload

Front end bypass

You can use the dev tools of browser and see if there is check at the front end instead of backend. You can check this from network tab. If no new request is sent to the server once you try to upload a file, it means check is on frontend.

First capture a legitimate request and then send it to repeater to play with it

You can manupulate the request in burp and see if it gets uploaded.

We can even try to upload a php shell

Magic Bytes

Magic Bytes identify the file type. Server is checking the file type

Null bytes attack

add FF D8 FF DB in hex editor of files or adding GIF89a or GIF87; may also work

hexeditor \\installed in kali

We can do that in burp. We need son content in the start as well as well in the end

We can also try alternate php extensions

Check a directory permissions

If you have a webpage. We can use options header to check what headers types are supported by a directory.

This directory also supports webdav which can be used to upload file.

Checking permissions with curl

curl -X OPTIONS demo.ine.local/uploads/ -v

Curl uploading file

we can use curl to upload the file

curl http://192.191.151.3/uploads/ --upload-file /usr/share/webshells/php/simple-backdoor.php

Delete the file

PreviousCommand Injection NextXXE - External Entities Injection

Last updated 2 months ago

hashtagFront end bypass

hashtagMagic Bytes

hashtagNull bytes attack

hashtagCheck a directory permissions

hashtagChecking permissions with curl

hashtagCurl uploading file

hashtagDelete the file