From 71daed71859fab3bedf34912defa5cdb19040064 Mon Sep 17 00:00:00 2001 From: carlospolop Date: Thu, 28 Aug 2025 11:44:38 +0200 Subject: [PATCH] f --- src/pentesting-web/file-upload/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md index b0e8b39ac..8aad67ab6 100644 --- a/src/pentesting-web/file-upload/README.md +++ b/src/pentesting-web/file-upload/README.md @@ -45,7 +45,7 @@ Other useful extensions: - _file.php%00.png%00.jpg_ 6. Try to put the **exec extension before the valid extension** and pray so the server is misconfigured. (useful to exploit Apache misconfigurations where anything with extension** _**.php**_**, but** not necessarily ending in .php** will execute code): - _ex: file.php.png_ -7. Using **NTFS alternate data stream (ADS)** in **Windows**. In this case, a colon character “:” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server (e.g. “file.asax:.jpg”). This file might be edited later using other techniques such as using its short filename. The “**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. “file.asp::$data.”) +7. Using **NTFS alternate data stream (ADS)** in **Windows**. In this case, a colon character ":” will be inserted after a forbidden extension and before a permitted one. As a result, an **empty file with the forbidden extension** will be created on the server (e.g. "file.asax:.jpg”). This file might be edited later using other techniques such as using its short filename. The "**::$data**” pattern can also be used to create non-empty files. Therefore, adding a dot character after this pattern might also be useful to bypass further restrictions (.e.g. "file.asp::$data.”) 8. Try to break the filename limits. The valid extension gets cut off. And the malicious PHP gets left. AAA<--SNIP-->AAA.php ``` @@ -81,8 +81,8 @@ Other useful extensions: - **Possible Information disclosure**: 1. Upload **several times** (and at the **same time**) the **same file** with the **same name** 2. Upload a file with the **name** of a **file** or **folder** that **already exists** - 3. Uploading a file with **“.”, “..”, or “…” as its name**. For instance, in Apache in **Windows**, if the application saves the uploaded files in “/www/uploads/” directory, the “.” filename will create a file called “uploads” in the “/www/” directory. - 4. Upload a file that may not be deleted easily such as **“…:.jpg”** in **NTFS**. (Windows) + 3. Uploading a file with **".”, "..”, or "…” as its name**. For instance, in Apache in **Windows**, if the application saves the uploaded files in "/www/uploads/” directory, the ".” filename will create a file called "uploads” in the "/www/” directory. + 4. Upload a file that may not be deleted easily such as **"…:.jpg”** in **NTFS**. (Windows) 5. Upload a file in **Windows** with **invalid characters** such as `|<>*?”` in its name. (Windows) 6. Upload a file in **Windows** using **reserved** (**forbidden**) **names** such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9. - Try also to **upload an executable** (.exe) or an **.html** (less suspicious) that **will execute code** when accidentally opened by victim.