File Upload Attacks - Skills Assessment

akiraowen · November 10, 2021, 12:39pm

Hi everyone,
Having trouble getting the upload to work for the happy case. If I browse and select a png file the name appears and when I click submit it sends a GET request with the message details and only the filename. I cannot detect the image data being sent at all. Is this by design? Also there is this green square that submits as well, but no image data upload.

Cr0nuS · November 10, 2021, 1:14pm

Try to intercept with burp when you upload and click on the green square. And you will see the request

akiraowen · November 10, 2021, 9:16pm

I’ve done this with a clean pwnbox & target, there is no request that includes image data, only the GET with 4 parameters including the image file name gets sent.
Clicking browse, selecting image and then clicking the green square just gives the reponse “Thank you for submitting your feedback”, repeating with Submit button give the same results. (also nothing in inspector network).

I tried changing the filename to something obviously invalid (php) and it still accepts?

akiraowen · November 10, 2021, 9:34pm

Ok I got it, I could see the js code for the POST and was wondering why it wasn’t triggering. ParrotOS stock firefox plugins were blocking.
Thanks!

terulei · November 16, 2021, 6:10am

Anyone get to find the upload path? Tried may ways but no luck…

terulei · November 16, 2021, 9:12am

Just got the flag. Careless and rush are always the key enemy.

gushinan · December 7, 2021, 9:32am

i need help,how can i find the path of the file i upload

cherryeater · December 7, 2021, 10:11am

Hi! Do you mean the upload directory or the uploaded payload itself?

gushinan · December 7, 2021, 10:13am

payload

cherryeater · December 7, 2021, 10:16am

hah pal, I have the same issue.)

gushinan · December 7, 2021, 10:24am

Satellite · December 8, 2021, 8:20am

Text me, I will support you!

cherryeater · December 8, 2021, 9:04am

Thanks Satellite!
I just succeeded.
I would recommend try to understand the appropriate sample of the found code.

icu81mi · December 16, 2021, 6:55pm

I feel like I’ve read every line of source start to finish and I still can’t seem to figure out where the file is going. Can you give me a nudge on what bit of source code I should be examining?

cherryeater · December 17, 2021, 8:09am

After the upload directory is found you should find out your payload filename. To do this you should understand payload naming algorithm that is its appropriate code.

0xh4rtz · January 29, 2022, 1:31am

Oh my gooosh hahaha. I didn’t know that was are a botton, I thought that are a only label for the file upload LOL. TY so much bro.

Darcia · March 21, 2022, 2:21pm

I’m kind of hung up too.
I deciphered the code. But in the end, I did not understand the way)

onthesauce · March 21, 2022, 2:45pm

Did you gain access to the right .php file?

Darcia · March 21, 2022, 3:07pm

I have calculated the extension of the non-blacklisted and the allowed content type header.
I add at the end (.jpg) it loads.
But I’m not quite sure if I’m doing the right thing.
(if you do not add this extension at the end and do not correct the MIME-Type, then the file simply will not load.)

CrazyHorse302 · April 7, 2022, 6:18am

So I got as far as getting the /etc/passwd to display. I am struggling to find the upload directory. I did get the source code for index.php but I don’t feel like its the right file to indicate where the upload path is. Can someone point me in the right direction? Thank you.