Academy - Whitelist Filters

I got some problems with the Whitelist Filters module question. I tried to use different techniques and got many alternative solutions to bypass the filters getting the “successful upload” message. The problem seems that the “successful upload” doesn’t correspond to an effective upload of the file into the profile_images folder.

Need some hint…

Never mind. Solved rewriting the wordlists.
Sometimes we need to go back to the beginning of the journey to find the right track…


Hello, my congrats :slight_smile:
Can you please help with this?
I get OK result on upload files with those symbols, but don’t know how to send request with some already URL encoded chars, as %0a, etc…

You’ve used browser and URL encoded all the string to make request? curl only downloads php page :frowning:

The same, my problems were in unticking checkbox with URL encoding in Burp and I haven’t knew not blacklisted extention
Use only this one from previous exercise and be happy :slight_smile:

1 Like

Replying to this because it’s the first thread on this part of the module I found. Just wanted to give my advice to anyone who is doing this one. Use the ZAP Fuzzer, not Burp Intruder. There will be about 500 requests you have to send and Burp will take its sweet time. ZAP can go through all of them in just a second or two.

Can I get a hint in this, I have FUZZED the extension with all word list, I have found a few paths that allow me to upload to however my .php is not rendering on any of the pages. In addition the file location being uploaded to is .jpg I can not seem to get an upload to the .php path.

not sure if you’re still around. Mind if I get a hint on this? Been trying different extensions layouts and its saying that the file is uploaded, but didn’t see it actually upload what I typed. Thanks,

You able to get it working?? Still stuck lol

Think about shared bypass techniques in the module