From 4f4d7b3bf56f02eb92cb994d67d0d778cec010ae Mon Sep 17 00:00:00 2001 From: J-GainSec <69121898+J-GainSec@users.noreply.github.com> Date: Fri, 1 Mar 2024 23:36:14 -0500 Subject: [PATCH] Added Link to Python Script for adding RTLO characters to strings, individual files or all files within a directory. --- Upload Insecure Files/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index d5c58fe..51d50f0 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -80,7 +80,7 @@ * `file.php%20` * `file.php%0d%0a.jpg` * `file.php%0a` - * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`. + * Right to Left Override (RTLO): `name.%E2%80%AEphp.jpg` will became `name.gpj.php`. - [Automated Script for RTLO](https://github.com/GainSec/RTLOify) * Slash: `file.php/`, `file.php.\`, `file.j\sp`, `file.j/sp` * Multiple special characters: `file.jsp/././././.` - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif` @@ -219,4 +219,4 @@ Upload the XML file to `$JETTY_BASE/webapps/` * [Jetty Features for Hacking Web Apps - September 15, 2022 - Mikhail Klyuchnikov](https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/) * [Inyección de código en imágenes subidas y tratadas con PHP-GD - Spanish Resource - hackplayers](https://www.hackplayers.com/2020/03/inyeccion-de-codigo-en-imagenes-php-gd.html) * [A New Vector For “Dirty” Arbitrary File Write to RCE - Doyensec - Maxence Schmitt and Lorenzo Stella](https://blog.doyensec.com/2023/02/28/new-vector-for-dirty-arbitrary-file-write-2-rce.html) -* [PHP Internals Book - THE .PHPT FILE STRUCTURE](https://www.phpinternalsbook.com/tests/phpt_file_structure.html) \ No newline at end of file +* [PHP Internals Book - THE .PHPT FILE STRUCTURE](https://www.phpinternalsbook.com/tests/phpt_file_structure.html)