Key is Enumeration

Key is Enumeration.

The more we understand about our environment, the more we're able to *do* with it. Looking at the source code for the page is good to see if any kind of client-side filtering is being applied. Scanning with a directory bruteforcer such as Gobuster is usually helpful in web attacks, and may reveal where files are being uploaded to; Gobuster is no longer installed by default on Kali, but can be installed with **`sudo apt install gobuster`**. Intercepting upload requests with [Burpsuite](https://tryhackme.com/room/burpsuitebasics) will also come in handy. Browser extensions such as [Wappalyser](https://www.wappalyzer.com/download) can provide valuable information at a glance about the site you're targetting.

1. Overwriting Existing Files on a Server:

- This occurs when the upload system doesn't properly check for existing files or handle file naming

- Attackers can upload files with the same name as existing files, potentially overwriting important system files

- Can lead to denial of service or security bypass if critical files are overwritten

- Example: Overwriting configuration files or existing web pages

2. Uploading and Executing Shells on a Server:

- Involves uploading malicious scripts (web shells) that can execute commands on the server

- Allows attackers to gain remote control of the server

- Use tools like **`gobuster`** to enumerate directories using a predefined wordlist

- Common shell types include PHP, ASP, or JSP shells

- Can lead to complete server compromise

- Example: Uploading a PHP shell that allows command execution or reverse shell

- Hint : For some characters, always check the [ASCII Encoding Reference](https://www.w3schools.com/tags/ref_urlencode.ASP) :

- # → %23

- / → %2F

3. Bypassing Client-Side Filtering:

- Client-side filters run in the user's browser and can be easily bypassed

- Methods include:

- Disabling JavaScript

- Modifying requests using proxy tools (like Burp Suite)

- Direct API calls that skip client-side checks

- Example: Changing file extension after client-side validation

4. Bypassing Server-Side Filtering:

- More robust than client-side but still can have weaknesses

- Common bypass methods:

- Using alternate file extensions

- Manipulating MIME types

- Using special characters in filenames

- Case sensitivity exploitation

- Example: Uploading "shell.php.jpg" when .jpg is allowed

5. Fooling Content Type Validation:

- Involves manipulating the MIME type or content-type headers

- Can trick servers into accepting malicious files as legitimate

- Methods include:

- Modifying Content-Type headers in requests

- Adding fake file signatures

- Using polyglot files

- Example: Changing content-type from "application/x-php" to "image/jpeg"

There are two main categories of filtering in file uploads: Client-Side Filtering and Server-Side Filtering. Here's a detailed breakdown:

1. Client-Side Filtering:

- Occurs in the user's browser

- Implemented using JavaScript or HTML attributes

- Types include:

- Extension validation

- File type checking