Interesting Test Cases of File uploading vulnerabilities

File uploading vulnerability where an application allows a user to upload a malicious file directly which is then executed.

Method1:Bypassing File uploading restrictions.

If the application is accepting only PDF files then follow the below steps,

Use HTML/nullbyte&(accepted)extension

Eg: meow.html is the file to want to upload then craft the filename to get accepted. ie meow.html%00.pdf and change Content-type: text/html……!!!!!! Bypassed and Uploads the file.

Method2: Image Pixel Attack leads to DOS

· Check for the profile pic or logo upload in the application

· Check for the file size in the upload function, if they're also still it is possible to upload a crafted payload within the allowed size with a lot of pixels that can fill the heap and cause Denial Of Service.

· Check https://bomb.codes/bombs#images for Image payloads with a lot of pixels.

· Upload 50K JPG Image and Observe that the pixels were read and the image was processed for about a minute.

· Try with different images of pixels

· This will usually cause OutOfHeap Memory and cause slowness/DoS

Method3: Bypassing file type restrictions by forging valid magic bytes?

Common Useful Magic Bytes

Method4:RCE from file upload

Check File-type if JavaScript is present in profile pic and Create a hack.php file with below content and upload the file.

And upload replace CMD with your desired payload like sleep, timeout, etc

Method5:Using File name as payload

Paste the payload in the file name __img src=x onerror=alert(document.domain)_ — Copy.csv

Method 6: If the target is webserver

Try uploading htaccess files create a sample.svg file with below content

And upload to the server to observe the vulnerability

Method 7:File upload vulnerability via EXIF manipulation

Capture the file upload request in burp and in the EXIF data add the necessary payload and upload

Method 8:Total no of file uploaded

Capture the request in the burp and send it to the intruder and add the payload from numbers 1–1000 with 1increments as Image1.pdf, Image2.pdf Image3.pdf Image4.pdf…………

This makes the server ideal after several uploads and DOS happens

Method 9: Dos attack from file upload

The exploit is really simple. Let us consider an image of 5kb, 260x260 pixels. In the image itself we can exchange the 260x260 values with 0xfafa x 0xfafa (so 64250x64250 pixels).

Now from what we remember service tries to convert the image once uploaded. By loading the ‘whole image’ into memory, tries to allocate 4128062500 pixels into memory, flooding the memory and causing DoS.

Method 10:From File upload to other vulnerabilities

· Set filename to ../../../tmp/lol.png and try to achieve a path traversal

· Set filename to sleep(10) — -.jpg and you may be able to achieve a SQL injection

· Set filename to <svg onload=alert(document.domain)> to achieve a XSS

· Set filename to ; sleep 10; to test some command injection

· Upload the EICAR content to check if the server has any antivirus

Interesting Test Cases

Uploading a file when another file with the same name already exists. This may show interesting error messages that can lead to information disclosure. Logical flaws might be found in the application renames the new file to keep it on the server.Upload a directory with the .asp extension, then name the script within the directory with a permitted file extension, for example, folder.asp\file.txtUploading a file with a long name. This may show interesting error messages that can lead to information disclosure.Uploading a file multiple times at the same time. This may show interesting error messages that can lead to information disclosure.Uploading a “crossdomain.xml” or “clientaccesspolicy.xml” file can make a website vulnerable to cross-site content hijacking.Upload XML file multiple times in order to identify any possible processing on the server-side.Uploading files that may not be deleted easily such as “…:.jpg” in NTFS that makes the “…” fileUpload .jsp file into web tree — JSP code executed as the web userUpload .gif file to be resized — image library flaw exploitedUpload huge files — file space denial of serviceUpload file using malicious path or name — overwrite a critical fileUpload file containing personal data — other users access itUpload file containing “tags” — tags get executed as part of being “included” in a web pageUpload .rar file to be scanned by antivirus — command executed on a server running the vulnerable antivirus softwareUse different file names such has .php3,phtml, shell.p.phpp, shell.txt.jpg.png.asp, shell.txt.jpg.png.aspTry long file names supermassivelongfileeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeename.phpTry to upload with huge file sizes

Feedback are most welcomed please to Akash.venky091@gmail.com and also I am reachable on https://www.linkedin.com/in/akash-h-c-4a4090a7/