File Uploads


Uploading user files has become a key feature for most modern web applications. File upload vulnerabilities are amongst the most common vulnerabilities found in web and mobile applications. If users' data is not correctly filtered and validated, attackers may store malicious data on the back-end server and exploit the file upload feature to execute arbitrary files on that server

Web and Reverse Shells Payloads to Inject

Blacklist filter Bypasses

External Resources:

Content/Type and Mime/Type Bypass

File Uploads to XSS Attack

There are different cases in which you can gain XSS from file uploads:

  1. Uploading a HTML file containing a script in javascript

  2. Uploading a HTML file containing a link to our server to steal the document cookie

Other cases:

  1. Whenever an application shows an image's metadata after its upload, it is possible to inject a payload inside metadata parameters such as comment or artist by using exiftool:

    • exiftool -Comment=' "><img src=1 onerror=alert(window.origin)>' HTB.jpg

  2. By using SVG images, it's possible to inject a payload with something like:

    • <script type="text/javascript"> alert("window.origin");</script>

File Uploads to XXE Attack

  1. [Read /etc/passwd] XXE from SVG images upload by using the following payload:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
  2. [Exfiltrate PHP Code] XXE from SVG to read source code:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]> 

Injections in File Names

  • A common file upload attack uses a malicious string for the uploaded file name

  • The filename may get executed or processed if the uploaded file name is reflected on the page.

  • We can try injecting a command in the file name, and if the web application uses the file name within an OS command, it may lead to a command injection attack.

  • Some examples of filenames for this attack:

  1. System Command Execution

    • file$(whoami).jpg

    • filewhoami.jpg

    • file.jpg||whoami

  2. XSS from filename:

    • <script>alert(window.origin);</script>

  3. SQLi from filename:

    • file';select+sleep(5);--.jpg

Windows Specific Attacks

  1. Reserved Characters: such as (|, <, >, *, or ?) are characters for special uses (such as wildcards).

    • If the web application doesn't apply any form of input sanification, it's possible to refer to a file different from the specified one (which does not exist)

    • This behaviour causes an error which may be shown on the web application, potentially showing the upload directory

  2. Windows Reserved Names: can be used to replicate the same behaviour as the reserved characters previously shown. (CON, COM1, LPT1, or NUL)

  3. Windows Filename Convention: it's possible to overwrite a file (or refer to a non-existant file) by using the ~ character to complete the filename

Last updated