File Upload Restriction Bypass Checklist
1-Try various file extensions-Try different versions of the file extensions, for example php3, .php4, .php5, phtml for PHP scripts, asp,aspx
#bugbounty #bugbountytip #bugbountytips
1-Try various file extensions-Try different versions of the file extensions, for example php3, .php4, .php5, phtml for PHP scripts, asp,aspx
#bugbounty #bugbountytip #bugbountytips
2-Append an extra file extension-If the application is not properly validating for the file extension, this can be exploited by appending another extension, for example from script.php to script.php.gif or script.gif.php
3-Change the casing of the extension-Try different combinations of lower and upper case, for example pHp, PhP, phP, Php etc
4-Change content type-When intercepting the request using Burp Suite, the content type can be changed, for example from “Content-type: application/x-php” to “Content-type: image/gif”
5-Try using executable extensions-Certain executable extensions may still be allowed, for example .shtml, .asa, .cer”, “.asax”, “.swf”, or “.xap”
6-Add a magic byte to the file-Magic bytes function as signatures used by the web server to identify the type of file that is being uploaded. For example, when adding “GIF87a” to the beginning of the script, the server will think of it as a GIF file
7-Try reducing the file size-If a file size restriction is being used, a smaller script can be uploaded to gain remote code execution, such as
<?php echo system($_REQUEST[‘cmd’]); ?>
<?php echo system($_REQUEST[‘cmd’]); ?>
8-Add a null byte to the file name-If the site is using file extension whitelists, this can often be bypassed by adding %00 (HTML encoding) or \x00 (hex encoding) to the end of the file name. For example: php-reverse-shell.php%00.gif
9-Add special characters before file extension-In order webservers, adding special characters such as ;%$& just after the file name, for example shell;.php can help bypass file extension whitelists
10-Insert EXIF data-An executable script can be inserted into an image in the form of a metadata comment, which will then be executed when the web server uses the image in a page
11-Try using Windows 8.3 notation for the file name-The Windows 8.3 short name version can be used in the file name. For example shell.aspx will become SHELL~1.ASP
12-Try finding characters that are converted to other useful characters during the file upload process-For instance, when running PHP on IIS, the “>”, “<”, and double quote “ characters respectively convert to “?”, “*”, and “.” characters
13-Try adding neutral characters after the filename-Special characters like spaces or dots in Windows or dots and slashes in a Linux at the end of a filename will be removed automatically (e.g. “shell.aspx … … . . .. ..”, “script.asp “, or “file.asp.”)
• • •
Missing some Tweet in this thread? You can try to
force a refresh
