Introduction Let's start off with the definition. An arbitrary file is any file on a specific server or system. Basically, the arbitrary file is a file that allows you to modify everything on a system. For example, if you got access to a particular website part of a shared server and you manage to root it, the files from the "box" are arbitrary - those on the site itself are not. Now, we can have only a limited number of actions handling arbitrary files. Those are the three following: [*] Arbitrary File Deletion [*] Arbitrary File Overwriting [*] Arbitrary File Uploading[ Arbitrary File Deletion Such method is most usually implemented on websites that lack directory access permissions or do not have any at all. In that case, the hacker can easily directly access the page for file deletion. It is most usually used for random websites, since exploring a targeted website could take quite a lot of time in order to find the path (if, of course, you don't already have the server-side files). I've posted some dorks for arbitrary file deletion below: inurl:"delete.php?file=" ext:php inurl:"delete?filename=" ext:php inurl:"delete.aspx?file=" ext:php inurl:"action=delete?file=" ext:php Let's say, we've found a website See Image We can see in the URL the directory of ../delete.php?file= In our case the target for deletion is a person's information board. It is just encoded in Base64 for some reason and resolves to the following string: /www/egypt3/data/peop/Selvia,+John+and+Lisa/phone1 We may use this parameter to delete any file on the server that is hosted on this particular website as long as we are aware of the full path or manage to exploit a directory disclosure vulnerability. Arbitrary File Upload Get about some dork and find an uploading script. inurl:"upload.php?file=" ext:php inurl:"upload?filename=" ext:php inurl:"upload.aspx?file=" ext:php inurl:"action=upload?file=" ext:php This is how my target looks like. A simple upload page (possibly without any filtration upon user input). See Image Try and upload your shell directly. If not successful, spoof the extension to one of these using the null byte: shell.php;.jpg shell.php..jpg shell.php.jpg; shell.php.jpg:; shell.php.jpg%; shell.php.jpg%00 shell.php%00.jpg shell.php.jpg;%00 shell.php.jpg%00:; and upon uploading, tamper the POST request with Tamper Data (this has been covered on a lot of tutorials, and you could really easily search for it rather than me explaining it over and over again) so as to change the extension back to what it really is (.php). See Image Whoops, we've got our c99 uploaded on their server. If that method of uploading did not work for you, try using a binder and spoof the extension properly. Sursa: Antagonism Group and software