From 92259509555c8b6dc0c069de64056ac9d6ce323f Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 16 Jun 2026 11:12:54 +0000 Subject: [PATCH] Add content from: Unauthenticated File Upload in Amasty Order Attributes for M... --- src/pentesting-web/file-upload/README.md | 47 ++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/src/pentesting-web/file-upload/README.md b/src/pentesting-web/file-upload/README.md index 1ce102580d5..b74fa8cb161 100644 --- a/src/pentesting-web/file-upload/README.md +++ b/src/pentesting-web/file-upload/README.md @@ -206,6 +206,52 @@ Notes: References for this bug include the usd HeroLab advisory and the NVD entry. See the References section below. +### Unauthenticated JSON/REST upload to web-accessible media directories + +Some web applications expose file uploads through JSON APIs instead of `multipart/form-data`. A common dangerous pattern is an endpoint that accepts **attacker-controlled base64 bytes** plus an **attacker-controlled filename** and writes them into a **web-accessible media directory** **before** verifying authentication, object ownership, session state, or business-logic constraints (for example, whether the upload really belongs to a valid file-type attribute). + +Generic attack flow: + +1. Identify upload endpoints and also check variant routes such as versioned, store-scoped, locale-scoped, or `/all/` API prefixes. +2. Send JSON containing base64 data and a dangerous server-side filename such as `.php`, `.phtml`, `.phar`, `.html`, or `.svg`. +3. If the file is written under a browsable path, request it directly to test impact: + - **PHP execution / RCE** if the media path executes PHP + - **Stored XSS** if `.html` or script-capable `.svg` is served from the trusted application origin + - **Malware hosting / phishing** even when server-side execution is blocked + +Minimal probe: + +```json +{ + "fileContent": { + "base64_encoded_data": "PD9waHAgZWNobyAnR09PRCc7IGVjaG8gMyozOTU7ID8+", + "fileName_with_extension": "index.php" + } +} +``` + +The sample blob decodes to: + +```php + +``` + +Checklist when reviewing or exploiting this pattern: + +- Try **unauthenticated** requests and requests without any valid shopping cart, draft object, or owning record. +- Bruteforce **route variants** such as `/rest/V1/...`, `/rest/default/V1/...`, or similar framework-specific aliases. +- Check whether the API validates a **real object identifier** (for example an `attribute_code`, attachment field, ticket ID, etc.) **before** persisting the file. +- Test **filename traversal** (`../`) and path separators inside the provided name if the backend concatenates it into the destination path. +- Verify whether the target path is **web reachable** and whether the server executes dynamic extensions from that location. +- Even if PHP execution is blocked, test **active browser content** (`.html`, `.svg`) because same-origin uploads can still become stored XSS. + +Defensive design: + +- Bind uploads to a **real server-side object** and verify authn/authz before writing anything. +- Enforce an **extension and content allow-list** before disk write; reject active content unless strictly required. +- Generate filenames server-side, canonicalize paths, and confirm the resolved path stays inside the intended upload root. +- Serve uploads from a **non-executable** origin/path and prevent script execution from media directories. + ## **wget File Upload/SSRF Trick** In some occasions you may find that a server is using **`wget`** to **download files** and you can **indicate** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **this check can be bypassed.**\ @@ -589,6 +635,7 @@ Backend copies `file.filepath`, so the response returns that path’s content. C - [https://blog.doyensec.com/2025/01/09/cspt-file-upload.html](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html) - [usd HeroLab – Gibbon LMS arbitrary file write (CVE-2023-45878)](https://herolab.usd.de/security-advisories/usd-2023-0025/) - [NVD – CVE-2023-45878](https://nvd.nist.gov/vuln/detail/CVE-2023-45878) +- [Sansec – Unauthenticated file upload in Amasty Order Attributes for Magento](https://sansec.io/research/amasty-order-attributes-file-upload) - [0xdf – HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html) - [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/) - [CVE-2024-21546 – NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-21546)