5.1 An Example Methodology

Fifth section in the Complete Beginner learning path.

A boilerplate or template methodology for exploiting upload vulnerabilities could look as follows:

Look at the website as a whole (could use a tool like Wappalyzer or just look manually). Look for indicators of languages or frameworks the app could be built in. A good entry point to this type of enumeration is to simply make a request to the site and intercept it with Burp, headers like "server" or "x-powered-by" can be used to gain info. Look for vectors of attack like an upload page.
Finding an upload page then requires further inspection, look for client-side scripts to determine if there are client side filters to bypass.
Attempt a normal file upload, check to see how the file is accessed: is it in an uploads folder? Does it embed in the page? What naming scheme does the site use? Gobuster is important in enumerating this. An important switch to know is -x, this can be used to search for file extensions like -x php,txt,html.
Knowing where to access uploads, then attempt to perform a malicious upload and bypass client-side and server-side filters. If the file is stopped by the server then check: if you can upload a file with a totally invalid file extension like "test.blacklist" this indicates an extension blacklist is being used, otherwise a whitelist will be in use. Check if you can upload the innocent file with a different magic number, if this fails then a magic number filter is in use. Check if you can intercept the innocent upload and change the MIME type, if this fails then MIME type filtering is in use. Upload progressively larger files until you hit a limit, if the size limit is small this could prevent use of a reverse shell.

Last updated 4 months ago

5.1 An Example Methodology

Fifth section in the Complete Beginner learning path.

A boilerplate or template methodology for exploiting upload vulnerabilities could look as follows:

Look at the website as a whole (could use a tool like Wappalyzer or just look manually). Look for indicators of languages or frameworks the app could be built in. A good entry point to this type of enumeration is to simply make a request to the site and intercept it with Burp, headers like "server" or "x-powered-by" can be used to gain info. Look for vectors of attack like an upload page.
Finding an upload page then requires further inspection, look for client-side scripts to determine if there are client side filters to bypass.
Attempt a normal file upload, check to see how the file is accessed: is it in an uploads folder? Does it embed in the page? What naming scheme does the site use? Gobuster is important in enumerating this. An important switch to know is -x, this can be used to search for file extensions like -x php,txt,html.
Knowing where to access uploads, then attempt to perform a malicious upload and bypass client-side and server-side filters. If the file is stopped by the server then check: if you can upload a file with a totally invalid file extension like "test.blacklist" this indicates an extension blacklist is being used, otherwise a whitelist will be in use. Check if you can upload the innocent file with a different magic number, if this fails then a magic number filter is in use. Check if you can intercept the innocent upload and change the MIME type, if this fails then MIME type filtering is in use. Upload progressively larger files until you hit a limit, if the size limit is small this could prevent use of a reverse shell.

Last updated 4 months ago