Unrestricted File Upload
I was testing on a website let’s call it “buggyweb.xyz”. After some time I found that there was a discussion forum which URL was something like this “discussion.buggyweb.xyz”. So I started to explore there and after some time I found out that there was a File Upload feature to upload images.
I started testing that file upload feature so I tried to upload .php extension file but that was rejected. So after digging a little bit I found out that there was “WhiteListing” of the files. So only file extension which is allowed is being uploaded. Basically, it was only verifying the last extension of that file. So what I did was open Burpsuite, capture the request and change the file extension but I failed. So after some time, I found out that it was double-checking the file extension(Client Side and Server Side).
After I found out that I first uploaded an image file then capture it with burp suite and change its content to PHP code then forward the request while uploading it. Now here comes the main part, Even I have uploaded the file, I haven’t published it yet so before clicking the publish button I turn on burp suite again and change the extension of that file to .PHP, and BOOM! It got Uploaded
And then I reported it to that company.
Thank You for reading this post.