📀Common File Upload Bypasses
Common File Upload Bypasses
Default extensions
PHP Server
.php , .php3 , .php4 , .php5 , .php7Less known PHP extensions
.pht , .phps , .phar , .phpt , .pgif , .phtml , .phtm , .incASP Server
.asp, .aspx, .cer and .asa (IIS <= 7.5), shell.aspx;1.jpg (IIS < 7.0), shell.soapJSP
.jsp, .jspx, .jsw, .jsv, .jspfPerl
.pl, .pm, .cgi, .libDifferent Ways to Bypass the Extensions
Use double extensions: .jpg.php
Use reverse double extension (useful to exploit Apache misconfigurations where anything with extension .php, but not necessarily ending in .php will execute code): .php.jpg
Randomly use uppercase and lowercase in the extension: .pHp, .pHP5, .PhAr
Null byte: The restriction on uploading files can be bypassed by using a Null Byte in the file name, typically with the extension.
.php%00.gif , .php\x00.gif , Nth Extension Bypass: Using multiple levels of extension is one of the most common methods to bypass the file upload restrictions.
example file: test.jpg.html // cobalt.cobalt.jpg.htmlSpecial characters
Multiple dots after the extension: file.php......
Whitespace characters: file.php%20, file.php%0d%0a.jpg
Right to Left Override (RTLO): name.%E2%80%AEphp.jpg will become name.gpj.php
Slash: file.php/, file.php.\, file.j\sp, file.j/sp
Multiple special characters: file.jsp/././././.
Content Type Bypass:
Mime type, change Content-Type : application/x-php or Content-Type : application/octet-stream to Content-Type : image/gifSet the Content-Type twice: once for unallowed type and once for allowed.
Tools & Extensions
Burp > Upload Scanner
ZAP > FileUpload AddOn
Last updated