FILE UPLOAD ATTACKS: Blacklist Filters

SR_Shiravanthan · May 12, 2024, 2:37pm

I hope you have completed this task. Anyway, I will give you some tips to complete this task.

Steps:

Identify the blacklisted extension; the section itself provides a wordlist; feel free to use any of them.
Identify the allowed extension and save the result for your location.
Upload the script to any one of the allowed extensions, visit that location, and execute it. Since it does not display anything, we have to find which one executes on the server.
Capture the request and send it to the intruder; choose the allowed extension wordlist that you have saved.
cmd=id: check which extension has executed on the response.

greentofu · June 30, 2024, 10:32am

This is the best advice to get you through

Singleday · December 17, 2024, 4:28pm

Very useful! thank you.

jaywandery · January 1, 2025, 3:30pm

You don’t have to use the the GET request. Using the Post request would work just fine

jaywandery · January 1, 2025, 3:33pm

This would work perfect. As for those that are yet to solve this. Do more research on what file extension would execute a php code. ChatGPT would help.

Topic		Replies	Views
File Upload Attacks - Whitelist Filters Academy	31	5118	November 27, 2024
PHP upload extension bypass strange behavior Off-topic	3	1054	September 24, 2019
FILE UPLOAD ATTACKS - Whitelist Filters Academy	4	1548	March 2, 2024
File Upload Attacks - Skills Assessment Academy	80	10940	February 15, 2025
Academy - Whitelist Filters Academy	8	1415	June 20, 2023

FILE UPLOAD ATTACKS: Blacklist Filters

Related topics