How to Approach Web Application Vulnerability Assessment using Burp Community | Part - 3 | Audit Guidelines | High Impact Web Vulnerability | RCE
Web application file upload RCE are very common and multiple bypasses for the existing mitigations are available. In this part-3 of blog series of how to check the web application vulnerability with Burp Community Edition, I will cover one of the bypass technique. This blog will be very helpful while performing the web application security assessment( VAPT) manually. In this part of the blog, we will cover a file upload vulnerability with High impact severity. Please refer the audit guidelines below
fffffffffff......fffffffffff.php.jpeg
where the length of green highlighted part is exactly 255. Uploading this would bypass the extension restriction at the client and server end, but when storing the file at server, that .jpeg will get removed from file name, leaving behind a .php shell file uploaded successfully.
[Disclaimer - For Education Purpose - Case study, attacks' scenarios and audit guidelines on vulnerabilities]
Audit Guideline
Concept- Linux has a file name restriction of 255 characters/bytes. If you attempt to create a file that has more than 255 characters in its name, then it will truncate the characters after that 255 characters. So now we have to upload a file named like this:fffffffffff......fffffffffff.php.jpeg
where the length of green highlighted part is exactly 255. Uploading this would bypass the extension restriction at the client and server end, but when storing the file at server, that .jpeg will get removed from file name, leaving behind a .php shell file uploaded successfully.
[Disclaimer - For Education Purpose - Case study, attacks' scenarios and audit guidelines on vulnerabilities]