LaporBug.id is a Bug Bounty Platform from Indonesia, for more info about LaporBug.id you can open https://laporbug.id/.
I take a few minutes to look around LaporBug.id and check every single URL, parameter, form.
On this page, we have a form to upload a profile image.
When I upload my profile image, I try to change the extension of my image.
When I change the extension with .html, no errors and my file successfully uploaded on the server.
I also tried some sensitive extension like .php / .php5 / .phtml / .PhP;.png / .php%00.png but blocked by server:(
Don't worry, we still can use .html to make Stored XSS.
Next, I put an XSS Payloads on my image with exiftool.
Payloads: "><img src=1 onerror=confirm(document.domain)//>
**BOOM**
Thanks for:
- https://brutelogic.com.br/blog/file-upload-xss/
- https://exploit.linuxsec.org/fckeditor-bypass-shell-upload-with-burp/
#HappyHacking
0 comments