🍩
HackBook.io
  • Pentesting Pocket Book for hackers and developers.
  • Reconnaissance
    • Internal Recon Basics
    • OSINT
      • Infrastructure
      • Recon-ng
      • Users
      • Google Dorks
    • Active Scanning
      • NMAP
        • NSE
          • reconnoitre
        • NMap Evasion
      • NC Scan
      • Finger Printing
    • Web Server OSINT
      • WhatWeb
      • Subdomains
      • Directory & File Enumeration
        • Enumeration
          • GoCutty
          • gobuster
          • Dirb
          • nikto
        • Fuzzing
        • Crawling
  • Web Application Hacking
    • Web 101
      • Clients
      • Servers
      • Encodings
    • Web Hacking Techniques
      • SOP
      • Open Redirect
      • File & Resource Attacks
        • Directory Traversal
          • Dir Traversal Fuzzer
        • LFI
        • RFI
        • Unrestricted File Uploads
      • XSS
        • DOM
        • Stored
        • Reflected
        • Blind
        • Self XSS
      • XXE
        • XXE Payloads
      • XPath
      • SSRF
      • CSRF
      • SQLi
        • SQL Basics
        • Securing SQL
        • Hacking SQL
          • sqlmap
          • In-Band
          • Error Based
          • Blind
      • Authorization
      • Session Hijacking
      • Command Injection
      • Insecure Deserialization
      • File Uploads
        • File Upload Mitigations
      • HPP
      • Click Jacking
        • Adobe SWF Investigator
      • HTTP Response Splitting
      • Flash 101
        • Flash Hacking
      • HTML5
        • WebSockets
        • CORS
          • iframe
          • Headers
    • Web Hacking Procedures
      • Captcha
      • Username Generation
      • Username Enumeration
      • Inhouse WebApps
      • SSL Cert Generation
      • CMS
        • WordPress
        • Joomla
      • Popular Exploits
        • Bludit CMS
        • ShellShock
        • WebDav
  • Weaponization
    • Buffer Overflows (BOF)
      • DSBOFG
        • Scripts
  • Initial Access
    • 😈Services
      • Finger
      • SNMP
      • LDAP
      • SMTP
      • NFS
      • RPC
        • RPCBind
      • RDP
      • SQL
        • NoSQL
      • POP3
      • Samba
      • SMB
      • SSH
      • Telnet
      • NetBios
      • VOIP/SIP
      • DNS
        • DNS Lookups
        • Zone Transfer
        • SubDomain Enums
        • dnsdumpster
    • 😈Shells
      • Powercat
      • Odd Shells
      • Troubleshoot
      • TTY/PTTY
  • Persistence
    • File Transfers
      • Py->Exe->Txt
      • Cross compile example
    • Backdoors
  • Privilege Escalation
    • Universal Escalation
    • Windows Escalation
      • Automated
      • Popular Exploits
        • ActiveXObject to Wscript RCE
        • Macros
        • Object Linking
    • Linux Escalation
      • Automated
    • Passwords
      • John
      • Medusa
      • Cewl
      • ncrack
      • Crunch
      • Hydra
      • MITM
      • Responder
        • SAM
          • pwdump and fgdump
          • Pass-the-hash
      • Crack the hash
      • NTLM
  • Network Discovery
    • Network Traffic
      • tcpdump
    • Internal Discovery
  • Collection and Staging
    • Collection
      • File types
  • Hacking Objectives
    • Non Kinetic War (Quick Guide)
  • Procedures
    • Bash Guide
    • Active Directory
    • Crypto 101
    • Forensics
  • Glossary
  • Hacking Frameworks
    • Metasploit
      • msfvenom
    • Dsnif
  • ThreatModeling
    • Threat Modeling Overview
  • Certifications
    • VMDR
      • Qualys Asset Management
      • Qualys Vulnerability Management
      • Qualys Threat Prioritization
      • Qualys Response (Patch Deployment)
    • OSCP Cheat Sheet
  • RF - Radio Frequency
    • Ham Technician
Powered by GitBook
On this page
  • Common attacks to leverage:
  • Checks for Success:
  • Example:
  • PUT to Directories:
  • Defense:

Was this helpful?

  1. Web Application Hacking
  2. Web Hacking Techniques
  3. File & Resource Attacks

Unrestricted File Uploads

PreviousRFINextXSS

Last updated 3 years ago

Was this helpful?

When file uploads do not have good file type checks or max file size limits then Unrestricted File Upload vulnerabilities are likely to occur.

Common attacks to leverage:

  • WebShell

  • Create Phishing pages

  • Defacement

  • Storing XSS

  • Installing Malware

Checks for Success:

Example:

In the source code we see that the profile image we uploaded kept the name of the file and is referencing it with an <img> tag and an src attribute.

In this case we are able to upload a profile photo that is actually a php file and then navigate to the upload directory and get the server to run it.

PUT to Directories:

  1. Do an OPTIONS query against the domain to see the allowed verbs. (nc, nmap, putty)

  2. If we get a 4xx or 5xx then it means OPTIONS is not allowed and we should just try one or two PUTs anyways to check it.

  3. Plan what directories to try. We should look into where certain items get stored like User Avatars, Content Files, Uploads, Attachments, Settings. If the WebApp is open source look for the directory structure on github. If its closed source then look at setup and user guides to get an idea of storage. Both HTML and WebApp Docs help here.

  4. Then craft a PUT and test the directories to see if you can drop files.

PUT /writeable_dir/test.html HTTP/1.1 
Content-length: 184 

[CONTENT OF TEST.HTML]

Defense:

Who will use the file? How will the uploaded file be used by the system? What privileges will the file have in the server?

It is also best to scan all uploaded files with AV/EDR products and also use web libraries that are made for safe file uploads.

To prevent file upload vulns make sure to check the file names, extensions, size, and the actual data within the file itself. This is because when the file is included in a page then even if the extension does not trigger the php engine to run, the tagging will.