Add new Edit Delete History Source

Contents:

File Uploads

Protections / Checklist

Extensions Validation – Blacklist/whitelisted extensions. What’s allowed? What can we do with it?
Content Validation – Content header + actual content.
Uploads Disclosure – Can we find the uploads directory?

Whitelist & Filters

Regex Filters

If the filter only checks for the existence of certain file types, we can bypass it with something like:
Example: .jpeg.php → Executable PHP file.

Double Extensions

Example: shell.jpeg.php
Some web servers only check the last extension.

Reverse Double Extensions

Some web servers may not be vulnerable directly, but misconfigurations can make them exploitable.
Example: An open-source web application with strict regex filtering the final extension but running on an insecure web server.

Character Injection

Injecting special characters before/after the final extension can trick the web application into misinterpreting the filename.
Example characters for bypassing filename checks:

for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do
    for ext in '.php' '.phps' '.phtml' '.php3' '.php5' '.php4'; do
        echo "shell$char$ext.jpg" >> wordlist.txt
        echo "shell$ext$char.jpg" >> wordlist.txt
        echo "shell.jpg$char$ext" >> wordlist.txt
        echo "shell.jpg$ext$char" >> wordlist.txt
    done
done

Type Filters

There are two common methods for validating file content:

Content-Type Header
File Content (Magic Bytes)

Content-Type Bypass

Start by fuzzing the Content-Type header using Burp Intruder with SecLists’ Content-Type Wordlist.
Some requests only contain a main Content-Type header (e.g., if the uploaded content is sent as POST data), which may need modification.

MIME-Type Validation

More common than Content-Type validation.
The first few bytes of a file (Magic Bytes) determine the file type.

Example:
- GIF87a or GIF89a → GIF Image.
- Plaintext → Usually considered a Text file.

Limited File Uploads

Some file upload forms use more secure methods, but vulnerabilities can still be introduced through certain file types like SVG, HTML, XML.

XSS

Uploading SVG or GIF files can sometimes lead to XSS.

XXE (XML External Entity Injection)

SVG files allow embedding XML payloads to leak files from the server.

Example: Leaking `/etc/passwd` via SVG:

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>

DoS (Denial of Service)

XXE-Based DoS

Similar to the previous payloads but designed to cause server crashes.

Decompression Bomb

Uploading a ZIP bomb (nested compressed files) to overwhelm storage.
If the server automatically unzips uploaded files, a recursive ZIP bomb can take up petabytes of storage.

Pixel Flood Attack

Modifying a JPG or PNG file’s compression metadata to increase its size artificially.

Example: Changing a 500x500 JPG to a 4-gigapixel image, crashing memory allocation.

File Name Injection

Many file upload attacks exploit malicious filenames that may get executed or processed when displayed.

Command Injection via Filename

If the web application uses filenames in OS commands, an attacker can inject shell commands.

Example:

file$(whoami).jpg
file`whoami`.jpg
file.jpg||whoami

If the application moves the file using:

mv file /tmp

it executes the injected command, leading to RCE (Remote Code Execution).

Covert Webshells (My GitHub)

Covert Webshells

💡 Combine different bypass techniques and observe errors while testing.