Differences

This shows you the differences between two versions of the page.

--- tbhm:07_file_upload [2026/05/14 09:18] – TBHM import drew
+++ tbhm:07_file_upload [2026/05/14 09:28] (current) – converted from markdown to dokuwiki syntax drew
@@ Line 1: / Line 1: @@
-# Tactical Fuzzing - FI & Uploads
+====== Tactical Fuzzing - FI & Uploads ======
-## Local file inclusion
+===== Local file inclusion =====
 Core Idea: Does it (or can it) interact with the server file system?
@@ Line 7: / Line 7: @@
 [[https://github.com/rotlogix/liffy|Liffy]] is new and cool here but you can also use [[https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/JHADDIX_LFI.txt|Seclists]].
-## Malicious File Upload
+===== Malicious File Upload =====
 This is an important and common attack vector in this type of testing.
-A file upload function needs a lot of protections to be adequately secure.
+A file upload functions need a lot of protections to be adequately secure.
 Attacks:
-- Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or...
+  * Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or...
-- Execute XSS via same types of files. Images as well!
+  * Execute XSS via same types of files. Images as well!
-- Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
+  * Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
-- Bypass security zones and store malware on target site via file polyglots
+  * Bypass security zones and store malware on target site via file polyglots
 File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:
-- content type spoofing
+  * content type spoofing
-- extension trickery
+  * extension trickery
-- [[https://www.nds.rub.de/media/attachments/files/2012/11/File-in-the-hole.pdf|File in the hole! presentation]]
+  * [[https://www.nds.rub.de/media/attachments/files/2012/11/File-in-the-hole.pdf|File in the hole! presentation]]
-As referenced, file polyglots can be used to store malware on servers!
+As referenced file polyglots can be used to store malware on servers!
-[[http://goo.gl/pquXC2|See @dan_crowley's talk]] and [[http://corkami.com|@angealbertini research]]
+[[http://goo.gl/pquXC2|See @dan_crowley 's talk]]
+[[http://corkami.com|and @angealbertini research:]]
-## Remote file includes and redirects
+===== Remote file includes and redirects =====
 Look for any param with another web address in it. Same params from LFI can present here too.
 Common blacklist bypasses:
-- escape "/" with "\/" or "//" with "\/\/"
+  * escape "/" with "\/" or "//" with "\/\/"
-- try single "/" instead of "//"
+  * try single "/" instead of "//"
-- remove http i.e. "continue=//google.com"
+  * remove http i.e. "continue=//google.com"
-- "/\/\" , "|/" , "/%09/"
+  * "/\/\" , "|/" , "/%09/"
-- encode, slashes
+  * encode, slashes
-- "./" CHANGE TO "..//"
+  * "./" CHANGE TO "..//"
-- "../" CHANGE TO "....//"
+  * "../" CHANGE TO "....//"
-- "/" CHANGE TO "//"
+  * "/" CHANGE TO "//"
 Redirections Common Parameters or Injection points:
-- dest=
+  * dest=
-- continue=
+  * continue=
-- redirect=
+  * redirect=
-- url= (or anything with "url" in it)
+  * url= (or anything with "url" in it)
-- uri= (same as above)
+  * uri= (same as above)
-- window=
+  * window=
-- next=
+  * next=
 RFI Common Parameters or Injection points:
-- File=
+  * File=
-- document=
+  * document=
-- Folder=
+  * Folder=
-- root=
+  * root=
-- Path=
+  * Path=
-- pg=
+  * pg=
-- style=
+  * style=
-- pdf=
+  * pdf=
-- template=
+  * template=
-- php_path=
+  * php_path=
-- doc=
+  * doc=