Tactical Fuzzing - FI & Uploads

Core Idea: Does it (or can it) interact with the server file system?

Liffy is new and cool here but you can also use Seclists.

This is an important and common attack vector in this type of testing. A file upload functions need a lot of protections to be adequately secure.

Attacks:

• Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or…
• Execute XSS via same types of files. Images as well!
• Attack the parser to DoS the site or XSS via storing payloads in metadata or file header
• Bypass security zones and store malware on target site via file polyglots

File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:

• content type spoofing
• extension trickery
• File in the hole! presentation

As referenced file polyglots can be used to store malware on servers! See @dan_crowley 's talk and @angealbertini research:

Look for any param with another web address in it. Same params from LFI can present here too.

Common blacklist bypasses:

• escape “/” with “\/” or “” with “\/\/” * try single “/” instead of “”
• remove http i.e. “continue=google.com” * “/\/\” , “|/” , “/%09/” * encode, slashes * “./” CHANGE TO “..”
• “../” CHANGE TO “….” * “/” CHANGE TO “”

Redirections Common Parameters or Injection points:

• dest=
• continue=
• redirect=
• url= (or anything with “url” in it)
• uri= (same as above)
• window=
• next=

RFI Common Parameters or Injection points:

• File=
• document=
• Folder=
• root=
• Path=
• pg=
• style=
• pdf=
• template=
• php_path=
• doc=