All the actions described in the article were performed with the permission of the site owner as the part of vulnerability tests.

In the previous blog post I covered the findings related to temporary file upload, but let’s further and check if we can do something with the final file sent to another user.

After the temporary file was uploaded and the message was sent this file will be moved to a different directory and renamed, so seems that we’ll be not able to make an XSS work, it also has a predefined extension, so we can not exploit the…


All the actions described in the article were performed with the permission of the site owner as the part of vulnerability tests.
Requests text was modified with respect to the test subject privacy.

Prehistory

Some time ago I found a suspicious behavior on the file upload to the site. Spoiler: I was not able to exploit it itself but it helped me to focus on this part and spice my findings a bit.

Request:

POST /loadphoto/save HTTP/1.1
Host: [redacted].com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: application/json
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------35677109542062294861829015033
Content-Length: 131624
Connection: close

-----------------------------35677109542062294861829015033
Content-Disposition: form-data; name="qqparentuuid"

4d28538e-7fea-413f-bd70-ad18d53061fc
-----------------------------35677109542062294861829015033
Content-Disposition: form-data; name="qqparentsize"

106725
-----------------------------35677109542062294861829015033
Content-Disposition: form-data; name="qquuid"

f7a84d5c-9351-456f-b828-480213b357ca
-----------------------------35677109542062294861829015033
Content-Disposition: form-data; name="qqfilename"

photo.png
-----------------------------35677109542062294861829015033
Content-Disposition…

0xbadb00da

Infosec newbie

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store