Free Link 🎈
Hey there!😁
Life’s Rule #1: Never trust someone who says, “Just upload your resume here.” Because I did. And ended up getting RCE.
Rule #2: If your file upload accepts
.svg, it’s probably open to the gates of hell.Rule #3: Always double-check your MIME types, unless you enjoy turning profile pictures into payloads.
While sipping chai and passively scrolling through JS files like it’s my toxic ex’s Instagram, I stumbled upon an interesting endpoint:
POST /user/upload/avatarIt looked boring. Typical profile image upload, accepting JPEGs, PNGs, blah blah. But here’s the kicker — it didn’t validate MIME types server-side. Not even a peep of sanitization.
So I thought: “Can I fake it ’til I make it?”
Answer: Yes. Yes, I can. And I did. 😈