When file uploads do not have good file type checks or max file size limits then Unrestricted File Upload vulnerabilities are likely to occur.

Common attacks to leverage:

• WebShell

• Create Phishing pages

• Defacement

• Storing XSS

• Installing Malware

Checks for Success:

• Vulnerable Upload

• Know where the file gets stored

• Know how the file gets used or included in the webapp (may be blind //admin portal includes)

Example:

In the source code we see that the profile image we uploaded kept the name of the file and is referencing it with an <img> tag and an src attribute.

In this case we are able to upload a profile photo that is actually a php file and then navigate to the upload directory and get the server to run it.

PUT to Directories:

1. Do an OPTIONS query against the domain to see the allowed verbs. (nc, nmap, putty)

2. If we get a 4xx or 5xx then it means OPTIONS is not allowed and we should just try one or two PUTs anyways to check it.

3. Plan what directories to try. We should look into where certain items get stored like User Avatars, Content Files, Uploads, Attachments, Settings. If the WebApp is open source look for the directory structure on github. If its closed source then look at setup and user guides to get an idea of storage. Both HTML and WebApp Docs help here.

4. Then craft a PUT and test the directories to see if you can drop files.

PUT /writeable_dir/test.html HTTP/1.1 
Content-length: 184 

[CONTENT OF TEST.HTML]

Defense:

Who will use the file? How will the uploaded file be used by the system? What privileges will the file have in the server?

It is also best to scan all uploaded files with AV/EDR products and also use web libraries that are made for safe file uploads.