Bypassing File Upload Filters P5 | Uplo ...

Bypassing File Upload Filters P5 | Upload Vulnerabilities TryHackMe

Feb 25, 2024

We covered  TryHackMe Upload Vulnerabilities room where we demonstrated methods and techniques to exploit file upload vulnerabilities in addition to bypassing upload filters such as using magic numbers, changing file extension and more.

Full Writeup is here.

The ability to upload files to a server has become an integral part of how we interact with web applications. Be it a profile picture for a social media website, a report being uploaded to cloud storage, or saving a project on Github; the applications for file upload features are limitless.

Unfortunately, when handled badly, file uploads can also open up severe vulnerabilities in the server. This can lead to anything from relatively minor, nuisance problems; all the way up to full Remote Code Execution (RCE) if an attacker manages to upload and execute a shell. With unrestricted upload access to a server (and the ability to retrieve data at will), an attacker could deface or otherwise alter existing content -- up to and including injecting malicious webpages, which lead to further vulnerabilities such as XSS or CSRF. By uploading arbitrary files, an attacker could potentially also use the server to host and/or serve illegal content, or to leak sensitive information. Realistically speaking, an attacker with the ability to upload a file of their choice to your server -- with no restrictions -- is very dangerous indeed.

Video Walkthrough

Enjoy this post?

Buy Motasem Hamdan / HackNotes a pizza

More from Motasem Hamdan / HackNotes