zipallow you to include symlinks in tarballs/archives they generated. If an application does not properly validate the content of the archives, it can lead to arbitrary reading/writing of files.
tarcommand to extract
.tarfiles, removes symlinks and accesses subdirectory directly, you can try to bypass the symlink removing process with tar permissions. Unix
tarcommand preserves the unix permissions assigned to it while creating the archive. If you create a parent directory which no one have read permissions (set chmod to
300) while creating the subdirectory with the complete permissions (set the chmod to
700), you can include symlinks inside the subdirectory that will not be found during the symlink removing process, but will be found when accessing directly since the subdirectory has read permissions.
filename=https://172.17.0.1/internal/file. You can also try to change
type="url"within a request.
GIF89ato make the server think we are sending it a valid GIF.
#, etc. For example,
.aspx, you can upload a file called
shell.aspx.. Now this filename will bypass the blacklist, as
.aspx != .aspx., but upon saving the file to the server, Windows will cut out the trailing
calc.execopy, you can run the following command:
.htaccessand the ASP.NET/IIS
web.configfiles. You can check your server/framework and try to upload particular config to bypass some security measures or even execute code.
xamlxextensions to get RCE.
dbmextensions to get RCE.
jspfextensions to get RCE.
libextensions to get RCE.