search

File Upload Bypass

hashtag
File extension

Developers may blacklist specific file extensions and prevent users from uploading files with extensions that are considered dangerous. This can be bypassed by using alternate extensions or even unrelated ones. For example, it might be possible to upload and execute a .php file simply by renaming it file.php.jpg or file.PHp.

Example:

  • file.php -> 'file.jpg', 'file.php.', 'file.php.jpg' or 'file.php;.jpg'

  • file.asp -> 'file.asp;.jpg'

  • shell.js -> 'shell.jpg'

  • shell.php -> shell.phpA.pdf and use hexedit to replace 'A' to 'null byte(0x00)'

Alternate extensions

Type
Extension

php

phtml, .php, .php3, .php4, .php5, and .inc

asp

asp, .aspx

perl

.pl, .pm, .cgi, .lib

jsp

.jsp, .jspx, .jsw, .jsv, and .jspf

Coldfusion

.cfm, .cfml, .cfc, .dbm

hashtag
MIME type

Blacklisting MIME types is also a method of file upload validation. It may be bypassed by intercepting the POST request on the way to the server and modifying the MIME type.

Normal php MIME type:

Replace with:

hashtag
PHP getimagesize()

For file uploads which validate image size using php getimagesize(), it may be possible to execute shellcode by inserting it into the Comment attribute of Image properties and saving it as file.jpg.php.

You can do this with gimp or exiftools:

I'm not sure why some tutorials have the php extension first while others have it second. Try both.

hashtag
JPG to PNG Shell

hashtag
GIF89a; header

GIF89a is a GIF file header. If uploaded content is being scanned, sometimes the check can be fooled by putting this header item at the top of shellcode:

hashtag
JPEG - '\xff\xd8\xff\xdb'

hashtag
PUTing File on the Webhost via PUT verb

PreviousFile Extension Discovery for uploadNext.htaccess to allow extension

Last updated