file upload

filter bypass

1. change the content type of file

2. change the name of file (extension bypass) :- file.php > file.php.jpg

3. Try null byte in file name

4. change the name of file (LFI) :- ../../../../../../file.php

5. MIME type and add magic byte before the content of reverse shell

6. check which extension is allowed

7. try .config file

8. if .config files sucessfully uplaod , try to inject code inside .config file

9. Very large file for DOS attack

VIDEO UPLOAD

ffmpeg

TikTok disclosed on HackerOne: External SSRF and Local File Read...HackerOne