This is an old revision of the document!
# Tactical Fuzzing - FI & Uploads
## Local file inclusion
Core Idea: Does it (or can it) interact with the server file system?
Liffy is new and cool here but you can also use Seclists.
## Malicious File Upload
This is an important and common attack vector in this type of testing. A file upload function needs a lot of protections to be adequately secure.
Attacks: - Upload unexpected file format to achieve code exec (swf, html, php, php3, aspx, ++) Web shells or… - Execute XSS via same types of files. Images as well! - Attack the parser to DoS the site or XSS via storing payloads in metadata or file header - Bypass security zones and store malware on target site via file polyglots
File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques: - content type spoofing - extension trickery - File in the hole! presentation
As referenced, file polyglots can be used to store malware on servers! See @dan_crowley's talk and @angealbertini research
## Remote file includes and redirects
Look for any param with another web address in it. Same params from LFI can present here too.
Common blacklist bypasses: - escape “/” with “\/” or “” with “\/\/” - try single “/” instead of “” - remove http i.e. “continue=google.com” - “/\/\” , “|/” , “/%09/” - encode, slashes - “./” CHANGE TO “..” - “../” CHANGE TO “….” - “/” CHANGE TO “”
Redirections Common Parameters or Injection points: - dest= - continue= - redirect= - url= (or anything with “url” in it) - uri= (same as above) - window= - next=
RFI Common Parameters or Injection points: - File= - document= - Folder= - root= - Path= - pg= - style= - pdf= - template= - php_path= - doc=