A web server running iis 10 ,PHP (windows) allows users to upload any type of pdf (the location and filename does not change on the server ). The files uploaded go though some file extension check which I was unable to bypass(I tried adding a null byte before extension, special characters, double periods). I am wondering if there is some code execution I could do.
Asked
Active
Viewed 189 times
1 Answers
2
Just in case and if you haven't already, spoof the MIME type - some poorly coded scripts may rely on the MIME type. What you describe doesn't seem to qualify as a vulnerability though (unless you manage to get around the extension check).
For reference here is some information on the data available server-side from a file upload: POST method uploads
Play with the file name too, add some single quotes in case there is an exploitable SQL injection vulnerability. I would also try weird characters in the file name, Unicode or emojis and see how the server reacts. Extremely long file names too. Multi-line input too. Play with the HTTP headers. Examine them, then tamper with them.
Maybe the function parsing the file name to derive the extension will break with the proper stimuli? A tool like Burp could help automate and replay the attacks.
Kate
- 6,967
- 20
- 23