9 - Other Upload Attacks

# Injections in File Name - Inject a malicious string within the uploaded file's name, which may get executed or processed if the uploaded file name is displayed (i.e., reflected) on the page - Examples ```bash test$(whoami).jpg test`whoami`.jpg file.jpg|whoami ``` - Similarly, we may use an XSS payload in the file name (e.g. `<script>alert(window.origin);</script>`), which would get executed on the target's machine if the file name is displayed to them - We may also inject an SQL query in the file name (e.g., `file';select+sleep(5);--.jpg`), which may lead to an SQL injection if the file name is insecurely used in an SQL query # Upload Directory Disclosure - In some file upload forms, like a feedback form or a submission form, we may not have access to the link of our uploaded file and may not know the uploads directory - In such cases, we may utilize fuzzing to look for the uploads directory or even use other vulnerabilities (e.g., LFI/XXE) to find where the uploaded files are by reading the web applications source code - Another method we can use to disclose the uploads directory is through forcing error messages, as they often reveal helpful information # Windows-specific attacks - One such attack is using reserved characters, such as (`|`, `<`, `>`, `*`, or `?`), which are usually reserved for special uses like wildcards - If the web app does not properly sanitize these names or wrap them within quotes, they may refer to another file (which may not exist) and cause an error that discloses the upload directory - Similarly, we may use Windows reserved names for the uploaded file name, like (`CON`, `COM1`, `LPT1`, or `NUL`), which may also cause an error as the web application will not be allowed to write a file with this name - We may also utilize the Windows [8.3 Filename Convention](https://en.wikipedia.org/wiki/8.3_filename) to overwrite existing files or refer to files that do not exist - Older versions of Windows were limited to a short length for file names, so they used a Tilde character (`~`) to complete the file name - Examples, where digit equals the order of the matching files starting with test - `test~1.txt` - `test~2.txt - Write a file called (e.g. `WEB~1.CON`) to overwrite the `web.conf`