# Unrestricted File Uploads When file uploads do not have good file type checks or max file size limits then Unrestricted File Upload vulnerabilities are likely to occur. ## Common attacks to leverage: * WebShell * Create Phishing pages * Defacement * Storing XSS * Installing Malware ### Checks for Success: * [x] Vulnerable Upload * [x] Know where the file gets stored * [x] Know how the file gets used or included in the webapp (may be blind //admin portal includes) ## Example: In the source code we see that the profile image we uploaded kept the name of the file and is referencing it with an \ tag and an src attribute. ![](/files/wMCkcc2YEfKBBgtuLWjT) In this case we are able to upload a profile photo that is actually a php file and then navigate to the upload directory and get the server to run it. ![](/files/TLF5vKZHwy0swIvQyx12) ## PUT to Directories: 1. Do an OPTIONS query against the domain to see the allowed verbs. (nc, nmap, putty) 2. If we get a 4xx or 5xx then it means OPTIONS is not allowed and we should just try one or two PUTs anyways to check it. 3. Plan what directories to try. We should look into where certain items get stored like User Avatars, Content Files, Uploads, Attachments, Settings. If the WebApp is open source look for the directory structure on github. If its closed source then look at setup and user guides to get an idea of storage. Both HTML and WebApp Docs help here. 4. Then craft a PUT and test the directories to see if you can drop files. ``` PUT /writeable_dir/test.html HTTP/1.1 Content-length: 184 [CONTENT OF TEST.HTML] ``` ## Defense: Who will use the file? How will the uploaded file be used by the system? What privileges will the file have in the server? It is also best to scan all uploaded files with AV/EDR products and also use web libraries that are made for safe file uploads. {% hint style="danger" %} To prevent file upload vulns make sure to check the file names, extensions, size, and the actual data within the file itself. This is because when the file is included in a page then even if the extension does not trigger the php engine to run, the tagging will. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.hackbook.io/web-application-hacking/web-techniques/file-and-resource-attacks/unrestricted-file-uploads.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.