Search Results
7/1/2025, 10:08:42 AM
>>105763001
cool, i do hacking for work. if you want a challenge, you could have it convert webp to jpg/png and replace the extension. it is still a challenge because i would totally try uploading php file or some other script, you can usually find out what the backend is running by checking the http headers, so it depends on your stack. if you can avoid and deactivate js you should. i would honestly not parse POST request and hand it off to shell, i think you should strip the filename super hard, e.g. only [a-zA-Z0-1_.]+ and normalize every other character to underscore or smth. you can use `file` to do a shitty filecheck, im not sure was it `binwalk` that can determine if file content matches multiple types? if you find a way to determine sus polyglot file, you should just throw it into some other folder for lolz, its probably someone trying to confuse your imagemagick webp conversion script or serverside components to exploit it
cool, i do hacking for work. if you want a challenge, you could have it convert webp to jpg/png and replace the extension. it is still a challenge because i would totally try uploading php file or some other script, you can usually find out what the backend is running by checking the http headers, so it depends on your stack. if you can avoid and deactivate js you should. i would honestly not parse POST request and hand it off to shell, i think you should strip the filename super hard, e.g. only [a-zA-Z0-1_.]+ and normalize every other character to underscore or smth. you can use `file` to do a shitty filecheck, im not sure was it `binwalk` that can determine if file content matches multiple types? if you find a way to determine sus polyglot file, you should just throw it into some other folder for lolz, its probably someone trying to confuse your imagemagick webp conversion script or serverside components to exploit it
Page 1