File Upload Bypass to RCE == $$$$

Image Credit — Wallarm

Scenario #1

  1. Payload with .php extension is not allowed.
  2. Renaming payload from : ‘payload.php’ to ‘payload.pHp5’ . Changing extensions to random upper and lower case bypassed it.
  3. But do note that such payloads only work if target has client-side validation only . So sometimes the payload may go through the frontend, but you may not get the callback as it has been blocked by the IDS or backend firewall.
  4. In this case, I received the callback and RCE was established.

Scenario #2

  1. Payload with .php extension is not allowed.
  2. Renamed the payload from : ‘payload.php’ to ‘payload.php\x00.png’ Appending \x00.png to the end bypassed the restriction(Null Byte).
  3. Right click → view image in new tab triggered the script.
  4. RCE was achieved.
  • In some cases .inc , .phps , .phtml can also be used.
  • When you are using this, make sure to change content-Type accordingly. P.S : Stored XSS was also possible here.

Scenario #3

  • This time, it took a while to find a valid bypass. They had set up a strict rule to only allow images.
  • I was not able to figure out how the target web app was verifying if the data was indeed an image. But after a lot of research, I found that they were checking the magic bytes of the payload to verify it.
  • Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.
  • I also found out that backend filters and removes certain keywords. For example, it removes the term ‘.php’. So we can rename a file as ‘payload.p.phphp’. So when the filter removes ‘.php’ , the file name would become ‘payload.php’. Since the firewall has been bypassed at this stage, script will be executed. One of John Hammonds video helped me with this.
  1. 89 50 4e 47 0d 1a 0a → magic bytes of a png file
  2. echo “89 50 4e 47 0d 1a 0a” | xxd -p -r >> payload.p.phphp
  3. Upload the script and get a full fledged RCE.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sagar Sajeev

Sagar Sajeev

18 y/o | Security Researcher | Bug Bounty Hunter |