Lockdoor Framework

A Penetration Testing Framework

View on GitHub

# Tactical Fuzzing - FI & Uploads

Local file inclusion

Core Idea: Does it (or can it) interact with the server file system?

[Liffy] (https://github.com/rotlogix/liffy) is new and cool here but you can also use [Seclists] (https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/JHADDIX_LFI.txt):

Malicious File Upload

This is an important and common attack vector in this type of testing. A file upload functions need a lot of protections to be adequately secure.


File upload attacks are a whole presentation. Try this one to get a feel for bypass techniques:

As referenced file polyglots can be used to store malware on servers! [See @dan_crowley ‘s talk] (http://goo.gl/pquXC2) [and @angealbertini research:] (corkami.com)

## Remote file includes and redirects

Look for any param with another web address in it. Same params from LFI can present here too.

Common blacklist bypasses:

Redirections Common Parameters or Injection points:

RFI Common Parameters or Injection points: