File Extensions Handling

Check List

Ensure that defaults and known files have been removed.
Dirbust sensitive file extensions, or extensions that might contain raw data (e.g. scripts, raw data, credentials, etc.).
Validate that no system framework bypasses exist on the rules set.

Cheat Sheet

Forced Browsing

Google

Extensions

ext:log | 
ext:txt | 
ext:conf | 
ext:cnf | 
ext:ini | 
ext:env | 
ext:sh | 
ext:bak | 
ext:backup | 
ext:swp | 
ext:old | 
ext:~ | 
ext:git | 
ext:svn | 
ext:htpasswd | 
ext:htaccess | 
ext:json | 
ext:daf 
site:$WEBSITE

File Types

filetype:pdf |
filetype:csv |
filetype:xls |
filetype:xlsx |
filetype:docx
site:$WEBSITE

Nikto

Scan all

nikto -h $WEBSITE -ssl

Eyewitness

File Types

eyewitness --single $WEBSITE --web

Katana

Extract URLs

katana -u $WEBSITE \
  -fr "(static|assets|img|images|css|fonts|icons)/" \
  -o /tmp/katana_output.txt \
  -xhr-extraction \
  -automatic-form-fill \
  -silent \
  -strategy breadth-first \
  -js-crawl \
  -extension-filter jpg,jpeg,png,gif,bmp,tiff,tif,webp,svg,ico,css \
  -headless --no-sandbox \
  -known-files all \
  -field url \
  -sf url

cat /tmp/katana_output.txt | \
sed 's/\?.*//' | \
sed 's/\.aspx$//' | \
sed 's/\/[^/]*\.json$//' | \
grep -v '\.js$' | \
grep -v '&amp' | \
sort -u > /tmp/urls.txt

FFUF

Extension Fuzz

ffuf -w /tmp/urls.txt:URL \
     -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt:DIR \
     -e log,txt,conf,cnf,ini,env,sh,bak,backup,swp,old,~,git,svn,htpasswd,htaccess,json,daf \
     -u URL/DIR \
     -r -c -mc 200,401,402,403

File Upload

Fuxploider

Fuzz Uploader

fuxploider -u $WEBSITE --form-action /upload

PayloadsAllTheThings

Fuzz Extension & Content-Type

Create Script

sudo nano fuzz-uploader.sh

#!/bin/bash

# Check if upload URL is provided
if [ "$#" -lt 1 ]; then
    echo "Usage: $0 $WEBSITE/upload"
    exit 1
fi

# Read upload URL from command-line arguments
UPLOAD_URL="$1"
REPO_URL="https://github.com/swisskyrepo/PayloadsAllTheThings.git"
TARGET_FOLDER="/usr/share/PayloadsAllTheThings"

# Function to detect backend language based on HTTP response headers
detect_backend_language()
{
    RESPONSE=$(curl -s -I "$UPLOAD_URL")
    
    # Check for PHP by detecting "X-Powered-By: PHP"
    if echo "$RESPONSE" | grep -i "X-Powered-By: PHP" > /dev/null; then
        echo "php"
    # Check for ASP.NET by detecting "X-Powered-By: ASP.NET"
    elif echo "$RESPONSE" | grep -i "X-Powered-By: ASP.NET" > /dev/null; then
        echo "asp"
    # Check for HTML by detecting absence of PHP or ASP.NET
    elif echo "$RESPONSE" | grep -i "Content-Type: text/html" > /dev/null; then
        echo "html"
    else
        echo "unknown"
    fi
}

# Clone the repository if not already cloned
if [ ! -d "$TARGET_FOLDER" ]; then
    echo "Cloning repository to $TARGET_FOLDER ..."
    git clone --depth 1 "$REPO_URL" "$TARGET_FOLDER"
    if [ $? -ne 0 ]; then
        echo "Error: Failed to clone the repository."
        exit 1
    fi
else
    echo "Repository already exists at $TARGET_FOLDER. Pulling latest changes..."
    cd "$TARGET_FOLDER" && git pull --depth 1
    if [ $? -ne 0 ]; then
        echo "Error: Failed to update the repository."
        exit 1
    fi
fi

# Detect backend language
BACKEND_LANG=$(detect_backend_language)

# Set the folder containing the target files based on the backend language
case $BACKEND_LANG in
    "php")
        FOLDER="$TARGET_FOLDER/Upload Insecure Files/Extension PHP"
        ;;
    "asp")
        FOLDER="$TARGET_FOLDER/Upload Insecure Files/Extension ASP"
        ;;
    "html")
        FOLDER="$TARGET_FOLDER/Upload Insecure Files/Extension HTML"
        ;;
    *)
        echo "Unknown backend language or unable to detect."
        exit 1
        ;;
esac

# Check if the target folder exists
if [ ! -d "$FOLDER" ]; then
    echo "Error: Target folder $FOLDER does not exist."
    exit 1
fi

echo "Using folder: $FOLDER"

# List of content types to try
CONTENT_TYPES=(
    "application/x-php"
    "application/octet-stream"
    "image/gif"
    "image/png"
    "image/jpeg"
)

# Find all files in the folder
FILES=$(find "$FOLDER" -type f)

# Check if there are any files
if [ -z "$FILES" ]; then
    echo "No files found in the folder."
    exit 1
fi

# Upload each file with all content types
for FILE in $FILES; do
    FILENAME=$(basename "$FILE")
    echo "Testing file: $FILENAME with all content types..."

    for CONTENT_TYPE in "${CONTENT_TYPES[@]}"; do
        echo "Uploading with Content-Type: $CONTENT_TYPE ..."

        # Perform the upload using cURL
        RESPONSE=$(curl -s -w "\nHTTP_STATUS:%{http_code}" -X POST \
            -H "Content-Type: $CONTENT_TYPE" \
            -F "file=@$FILE;type=$CONTENT_TYPE" \
            "$UPLOAD_URL")

        # Extract response body and HTTP status
        BODY=$(echo "$RESPONSE" | sed -n "1,/^HTTP_STATUS:/p" | sed "$d")
        HTTP_STATUS=$(echo "$RESPONSE" | sed -n "s/^HTTP_STATUS://p")

        # Check the HTTP status
        if [ "$HTTP_STATUS" -eq 200 ]; then
            echo "Upload successful with Content-Type: $CONTENT_TYPE"
            echo "Server response: $BODY"
            break # Stop testing other Content-Types for this file
        else
            echo "Failed with Content-Type: $CONTENT_TYPE"
            echo "HTTP status: $HTTP_STATUS"
            echo "Server response: $BODY"
        fi
        echo "-----------------------------"
    done

    echo "Finished testing file: $FILENAME"
    echo "============================="
done

echo "All files have been tested with all content types."

Run Script

sudo chmod +x fuzz-uploader.sh;sudo ./fuzz-uploader.sh $WEBSITE/upload

PreviousApp Platform Configuration NextReview Old Backup

Last updated 24 days ago

Was this helpful?