Interesting Test Cases of File uploading vulnerabilities
File uploading vulnerability where an application allows a user to upload a malicious file directly which is then executed.
Method1:Bypassing File uploading restrictions.
If the application is accepting only PDF files then follow the below steps,
Eg: meow.html is the file to want to upload then craft the filename to get accepted. ie meow.html%00.pdf and change Content-type: text/html……!!!!!! Bypassed and Uploads the file.
Method2: Image Pixel Attack leads to DOS
· Check for the profile pic or logo upload in the application
· Check for the file size in the upload function, if they're also still it is possible to upload a crafted payload within the allowed size with a lot of pixels that can fill the heap and cause Denial Of Service.
· Check https://bomb.codes/bombs#images for Image payloads with a lot of pixels.
· Upload 50K JPG Image and Observe that the pixels were read and the image was processed for about a minute.
· Try with different images of pixels
· This will usually cause OutOfHeap Memory and cause slowness/DoS
Method3: Bypassing file type restrictions by forging valid magic bytes?
Common Useful Magic Bytes
Method4:RCE from file upload
And upload replace CMD with your desired payload like sleep, timeout, etc
Method5:Using File name as payload
Paste the payload in the file name __img src=x onerror=alert(document.domain)_ — Copy.csv
Method 6: If the target is webserver
Try uploading htaccess files create a sample.svg file with below content
And upload to the server to observe the vulnerability
Method 7:File upload vulnerability via EXIF manipulation
Capture the file upload request in burp and in the EXIF data add the necessary payload and upload
Method 8:Total no of file uploaded
Capture the request in the burp and send it to the intruder and add the payload from numbers 1–1000 with 1increments as Image1.pdf, Image2.pdf Image3.pdf Image4.pdf…………
This makes the server ideal after several uploads and DOS happens
Method 9: Dos attack from file upload
The exploit is really simple. Let us consider an image of 5kb, 260x260 pixels. In the image itself we can exchange the 260x260 values with 0xfafa x 0xfafa (so 64250x64250 pixels).
Now from what we remember service tries to convert the image once uploaded. By loading the ‘whole image’ into memory, tries to allocate 4128062500 pixels into memory, flooding the memory and causing DoS.
Method 10:From File upload to other vulnerabilities
· Set filename to ../../../tmp/lol.png and try to achieve a path traversal
· Set filename to sleep(10) — -.jpg and you may be able to achieve a SQL injection
· Set filename to <svg onload=alert(document.domain)> to achieve a XSS
· Set filename to ; sleep 10; to test some command injection
· Upload the EICAR content to check if the server has any antivirus
Interesting Test Cases
- Uploading a file when another file with the same name already exists. This may show interesting error messages that can lead to information disclosure. Logical flaws might be found in the application renames the new file to keep it on the server.
- Upload a directory with the .asp extension, then name the script within the directory with a permitted file extension, for example, folder.asp\file.txt
- Uploading a file with a long name. This may show interesting error messages that can lead to information disclosure.
- Uploading a file multiple times at the same time. This may show interesting error messages that can lead to information disclosure.
- Uploading a “crossdomain.xml” or “clientaccesspolicy.xml” file can make a website vulnerable to cross-site content hijacking.
- Upload XML file multiple times in order to identify any possible processing on the server-side.
- Uploading files that may not be deleted easily such as “…:.jpg” in NTFS that makes the “…” file
- Upload .jsp file into web tree — JSP code executed as the web user
- Upload .gif file to be resized — image library flaw exploited
- Upload huge files — file space denial of service
- Upload file using malicious path or name — overwrite a critical file
- Upload file containing personal data — other users access it
- Upload file containing “tags” — tags get executed as part of being “included” in a web page
- Upload .rar file to be scanned by antivirus — command executed on a server running the vulnerable antivirus software
- Use different file names such has .php3,phtml, shell.p.phpp, shell.txt.jpg.png.asp, shell.txt.jpg.png.asp
- Try long file names supermassivelongfileeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeename.php
- Try to upload with huge file sizes
Feedback are most welcomed please to Akash.firstname.lastname@example.org and also I am reachable on https://www.linkedin.com/in/akash-h-c-4a4090a7/