Blog Title: Not Your File: How Misconfigured MIME Types Let Me Upload Evil Scripts
文章通过实例说明了文件上传漏洞的危害,强调了验证MIME类型的重要性,并展示了如何利用漏洞上传恶意文件。 2025-5-15 05:1:29 Author: infosecwriteups.com(查看原文) 阅读量:7 收藏

Iski

Free Link 🎈

Hey there!😁

Image by Gemini AI

Life’s Rule #1: Never trust someone who says, “Just upload your resume here.” Because I did. And ended up getting RCE.

Rule #2: If your file upload accepts .svg, it’s probably open to the gates of hell.

Rule #3: Always double-check your MIME types, unless you enjoy turning profile pictures into payloads.

While sipping chai and passively scrolling through JS files like it’s my toxic ex’s Instagram, I stumbled upon an interesting endpoint:

POST /user/upload/avatar

It looked boring. Typical profile image upload, accepting JPEGs, PNGs, blah blah. But here’s the kicker — it didn’t validate MIME types server-side. Not even a peep of sanitization.

So I thought: “Can I fake it ’til I make it?”

Answer: Yes. Yes, I can. And I did. 😈


文章来源: https://infosecwriteups.com/blog-title-not-your-file-how-misconfigured-mime-types-let-me-upload-evil-scripts-889efb18a7ce?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh