Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Bypassing File Upload Restrictions To Exploit Client-Side Path Traversal
Maxence Schmitt - DoyensecPosted 4 Months Ago- In a previous blog post, Doyensec detailed how to exploit CSPT to perform CSRF by using file uploads to transfer data for routing in a subsequent request. In their example, there were no restrictions on the file upload functionality, but this isn't always the case. So, they detail some ways to add JSON files to the server in unintended ways.
- The mmmagic library in NodeJs is used for file type detection. PDFs are notirous for being lax in their format. By creating JSON and placing
%PDFin the JSON at all, it'll be considered valid PDF and valid JSON. It just needs to be within the first 1024 bytes. - In pdflib, it requires more than the PDF header. There is a polyglot technique that can be used to do this. The trick is to replace
%0Abetween PDF objects with spaces. Then, open a double quote with the PDF header and other valid-looking PDF data. - The
filehas strict limits on input size. By making the sizes too large to handle, it may revert to the default file type. In many ways, this should trigger an error, but that apparently differs on the system. - This isn't a vulnerability class by itself. However, it DOES help in the exploitation. Good post on CSPT exploitation!
