====== Tactical Fuzzing - FI & Uploads ======

===== Local file inclusion =====

Core Idea: Does it (or can it) interact with the server file system?

[[https://github.com/rotlogix/liffy|Liffy]] is new and cool here but you can also use [[https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/JHADDIX_LFI.txt|Seclists]].

===== Malicious File Upload =====

This is an important and common attack vector in this type of testing.
A file upload functions need a lot of protections to be adequately secure.

Attacks:
  * Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or...
  * Execute XSS via same types of files. Images as well!
  * Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
  * Bypass security zones and store malware on target site via file polyglots

File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:
  * content type spoofing
  * extension trickery
  * [[https://www.nds.rub.de/media/attachments/files/2012/11/File-in-the-hole.pdf|File in the hole! presentation]]

As referenced file polyglots can be used to store malware on servers!
[[http://goo.gl/pquXC2|See @dan_crowley 's talk]]
[[http://corkami.com|and @angealbertini research:]]

===== Remote file includes and redirects =====

Look for any param with another web address in it. Same params from LFI can present here too.

Common blacklist bypasses:
  * escape "/" with "\/" or "//" with "\/\/"
  * try single "/" instead of "//"
  * remove http i.e. "continue=//google.com"
  * "/\/\" , "|/" , "/%09/"
  * encode, slashes
  * "./" CHANGE TO "..//"
  * "../" CHANGE TO "....//"
  * "/" CHANGE TO "//"

Redirections Common Parameters or Injection points:
  * dest=
  * continue=
  * redirect=
  * url= (or anything with "url" in it)
  * uri= (same as above)
  * window=
  * next=

RFI Common Parameters or Injection points:
  * File=
  * document=
  * Folder=
  * root=
  * Path=
  * pg=
  * style=
  * pdf=
  * template=
  * php_path=
  * doc=