File upload vulnerabilities

File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size. Failing to properly enforce restrictions on these could mean that even a basic image upload function can be used to upload arbitrary and potentially dangerous files instead. This could even include server-side script files that enable remote code execution.

Useful File Extensions

  • PHP -> .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module

  • ASP -> .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml

  • Jsp -> .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action

  • Flash -> .swf

  • Perl -> .pl, .cgi

Bypass File Extensions Checks

  1. Test using uppercase letters: pHp, pHP5...

  2. Add a valid extension before the wanted extension:

    • file.png.php

    • fiile.png.pHp

  3. Add special characters at the end. Bruteforce all ASCII and Unicode characters.

    • file.php%20

    • file.php%0a

    • file.php%00

    • file.php%0d%0a

  4. Try to bypass the protections by adding junk data (null bytes) between double extensions:

    • file.php#.png

    • file.php%00.png

    • file.php\x00.png

    • file.php%0a.png

    • file.php%0d%0a.png

    • file.phpJunk123png

  5. Add another layer of extensions:

    • file.png.jpg.php

    • file.php%00.png%00.jpg

Last updated

Was this helpful?