Skip to content

Unauthenticated File Upload in Amasty Order Attributes for M... #2382

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+47 −0
Open

Unauthenticated File Upload in Amasty Order Attributes for M... #2382

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 47 additions & 0 deletions src/pentesting-web/file-upload/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,52 @@ Notes:

References for this bug include the usd HeroLab advisory and the NVD entry. See the References section below.

### Unauthenticated JSON/REST upload to web-accessible media directories

Some web applications expose file uploads through JSON APIs instead of `multipart/form-data`. A common dangerous pattern is an endpoint that accepts **attacker-controlled base64 bytes** plus an **attacker-controlled filename** and writes them into a **web-accessible media directory** **before** verifying authentication, object ownership, session state, or business-logic constraints (for example, whether the upload really belongs to a valid file-type attribute).

Generic attack flow:

1. Identify upload endpoints and also check variant routes such as versioned, store-scoped, locale-scoped, or `/all/` API prefixes.
2. Send JSON containing base64 data and a dangerous server-side filename such as `.php`, `.phtml`, `.phar`, `.html`, or `.svg`.
3. If the file is written under a browsable path, request it directly to test impact:
- **PHP execution / RCE** if the media path executes PHP
- **Stored XSS** if `.html` or script-capable `.svg` is served from the trusted application origin
- **Malware hosting / phishing** even when server-side execution is blocked

Minimal probe:

```json
{
"fileContent": {
"base64_encoded_data": "PD9waHAgZWNobyAnR09PRCc7IGVjaG8gMyozOTU7ID8+",
"fileName_with_extension": "index.php"
}
}
```

The sample blob decodes to:

```php
<?php echo 'GOOD'; echo 3*395; ?>
```

Checklist when reviewing or exploiting this pattern:

- Try **unauthenticated** requests and requests without any valid shopping cart, draft object, or owning record.
- Bruteforce **route variants** such as `/rest/V1/...`, `/rest/default/V1/...`, or similar framework-specific aliases.
- Check whether the API validates a **real object identifier** (for example an `attribute_code`, attachment field, ticket ID, etc.) **before** persisting the file.
- Test **filename traversal** (`../`) and path separators inside the provided name if the backend concatenates it into the destination path.
- Verify whether the target path is **web reachable** and whether the server executes dynamic extensions from that location.
- Even if PHP execution is blocked, test **active browser content** (`.html`, `.svg`) because same-origin uploads can still become stored XSS.

Defensive design:

- Bind uploads to a **real server-side object** and verify authn/authz before writing anything.
- Enforce an **extension and content allow-list** before disk write; reject active content unless strictly required.
- Generate filenames server-side, canonicalize paths, and confirm the resolved path stays inside the intended upload root.
- Serve uploads from a **non-executable** origin/path and prevent script execution from media directories.

## **wget File Upload/SSRF Trick**

In some occasions you may find that a server is using **`wget`** to **download files** and you can **indicate** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **this check can be bypassed.**\
Expand Down Expand Up @@ -589,6 +635,7 @@ Backend copies `file.filepath`, so the response returns that path’s content. C
- [https://blog.doyensec.com/2025/01/09/cspt-file-upload.html](https://blog.doyensec.com/2025/01/09/cspt-file-upload.html)
- [usd HeroLab – Gibbon LMS arbitrary file write (CVE-2023-45878)](https://herolab.usd.de/security-advisories/usd-2023-0025/)
- [NVD – CVE-2023-45878](https://nvd.nist.gov/vuln/detail/CVE-2023-45878)
- [Sansec – Unauthenticated file upload in Amasty Order Attributes for Magento](https://sansec.io/research/amasty-order-attributes-file-upload)
- [0xdf – HTB: TheFrizz](https://0xdf.gitlab.io/2025/08/23/htb-thefrizz.html)
- [The Art of PHP: CTF‑born exploits and techniques](https://blog.orange.tw/posts/2025-08-the-art-of-php-ch/)
- [CVE-2024-21546 – NVD entry](https://nvd.nist.gov/vuln/detail/CVE-2024-21546)
Expand Down