# cat.jpg - The upload and submit buttons are distinct - Try to upload `cat.jpg` by clicking the green upload button (do not click submit) ![[images/Pasted image 20251224194446.png]] - Successful upload that sends a POST request to `/contact/upload.php` ![[images/Pasted image 20251224194523.png]] - We really need to read `/contact/upload.php` - Try to access image - `/contact/upload?uploadfile=cat.jpg` ![[images/Pasted image 20251224194753.png]] - `/contact/upload?filename=cat.jpg` - same error - `/contact/upload?cat.jpg` - same error # shell.jpg - Try with `image/jpg` content-type header and `GIF8` magic byte - error ![[images/Pasted image 20251224195057.png]] - While using `cat.jpg`, send to `intruder` and FUZZ usable extensions - employ the `/usr/share/seclists/Discovery/Web-content/web-extensions.txt` wordlist - none are useable - Send to `intruder` and FUZZ usable `content-type` headers - Employ `web-all-content.txt` wordlist from cheat sheet - Thin out wordlist by piping wordlist to `grep image/` - This provides a more manageable wordlist with 113 entries ![[images/Pasted image 20251224201640.png]] - Run ![[images/Pasted image 20251224201753.png]] - `image/jpg`, `image/jpeg`, `image/png`, and `image/svg+xml` are allowed ![[images/Pasted image 20251224202126.png]] -