HTB Academy - File Upload attacks(Whitelist Filters)

Surajuzumaki · June 7, 2024, 5:50am

Im Stuck on this exercise -

The above exercise employs a blacklist and a whitelist test to block unwanted extensions and only allow image extensions. Try to bypass both to upload a PHP script and execute code to read “/flag.txt”

I was able to bypass and upload file

test.php..jpeg , test.php/.jpeg

to /uploads but when accessing it via profile-images/test.jpeg its throwing 404 error , but im able to access this with below URL profile-images/.jpeg not sure why and im not able to execute it

Any help will be appreciated

IIIHYPERIONIII · January 17, 2025, 8:01am

try running the script that was shown at the end of the section and add more php formats like ‘.phpt’ ‘.pgif’ ‘.phtml’ ‘.phtm’ from the given resources. Use the generated wordlist in burp … and that should give you everything you’d need.

hope it helps!

NegativeOne · January 19, 2025, 5:11am

When using Seclist to brute force extensions it is important to test multiple extensions with the php script
Most of them don’t work but .phar could work with specific scripts

Topic		Replies	Views
FILE UPLOAD ATTACKS - Whitelist Filters Academy	4	1485	March 2, 2024
File Upload Attacks - Whitelist Filters Academy	31	4962	November 27, 2024
FILE UPLOAD ATTACKS - Type Filters Academy	49	8422	February 15, 2025
Academy - Whitelist Filters Academy	8	1399	June 20, 2023
HTB Academy: FILE UPLOAD ATTACKS - Skills Assessments Academy htb-academy	50	11088	July 31, 2024

HTB Academy - File Upload attacks(Whitelist Filters)

Related topics