Skip to content

Latest commit

 

History

History
63 lines (50 loc) · 1.95 KB

07_File_Upload.md

File metadata and controls

63 lines (50 loc) · 1.95 KB

Tactical Fuzzing - FI & Uploads

Local file inclusion

Core Idea: Does it (or can it) interact with the server file system?

[Liffy] (https://github.com/rotlogix/liffy) is new and cool here but you can also use [Seclists] (https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/JHADDIX_LFI.txt):

Malicious File Upload

This is an important and common attack vector in this type of testing. A file upload functions need a lot of protections to be adequately secure.

Attacks:

  • Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or...
  • Execute XSS via same types of files. Images as well!
  • Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
  • Bypass security zones and store malware on target site via file polyglots

File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:

As referenced file polyglots can be used to store malware on servers! [See @dan_crowley ‘s talk] (http://goo.gl/pquXC2) [and @angealbertini research:] (corkami.com)

Remote file includes and redirects

Look for any param with another web address in it. Same params from LFI can present here too.

Common blacklist bypasses:

  • escape "/" with "/" or “//” with “//”
  • try single "/" instead of "//"
  • remove http i.e. "continue=//google.com"
  • “//\” , “|/” , “/%09/”
  • encode, slashes
  • ”./” CHANGE TO “..//”
  • ”../” CHANGE TO “....//”
  • ”/” CHANGE TO “//”

Redirections Common Parameters or Injection points:

  • dest=
  • continue=
  • redirect=
  • url= (or anything with “url” in it)
  • uri= (same as above)
  • window=
  • next=

RFI Common Parameters or Injection points:

  • File=
  • document=
  • Folder=
  • root=
  • Path=
  • pg=
  • style=
  • pdf=
  • template=
  • php_path=
  • doc=