search

📀Common File Upload Bypasses

hashtag
Common File Upload Bypasses

hashtag
Default extensions

hashtag
PHP Server

.php , .php3 , .php4 , .php5 , .php7

hashtag
Less known PHP extensions

.pht , .phps , .phar , .phpt , .pgif , .phtml , .phtm , .inc

hashtag
ASP Server

.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0), shell.soap

hashtag
JSP

.jsp, .jspx, .jsw, .jsv, .jspf

hashtag
Perl

hashtag
Different Ways to Bypass the Extensions

  • Use double extensions: .jpg.php

  • Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): .php.jpg

  • Randomly use uppercase and lowercase in the extension: .pHp, .pHP5, .PhAr

  • Null byte: The restriction on uploading files can be bypassed by using a Null Byte in the file name, typically with the extension.

  • Nth Extension Bypass: Using multiple levels of extension is one of the most common methods to bypass the file upload restrictions.

  • Special characters

  • Multiple dots after the extension: file.php......

  • Whitespace characters: file.php%20, file.php%0d%0a.jpg

  • Right to Left Override (RTLO): name.%E2%80%AEphp.jpg will become name.gpj.php

  • Slash: file.php/, file.php.\, file.j\sp, file.j/sp

  • Multiple special characters: file.jsp/././././.

hashtag
Content Type Bypass:

  • Set the Content-Type twice: once for unallowed type and once for allowed.

hashtag
Tools & Extensions

PreviousFile Upload VulnerabilitiesNextMy RCE / File Upload / Command injection Methodology

Last updated