offensive-file-upload

# SKILL: File Upload Vulnerabilities

## Metadata
- **Skill Name**: file-upload
- **Folder**: offensive-file-upload
- **Source**: https://github.com/SnailSploit/offensive-checklist/blob/main/file-upload.md

## Description
File upload vulnerability checklist: MIME type bypass, extension bypass, magic byte manipulation, path traversal in filenames, stored XSS via SVG/HTML upload, server-side processing attacks, and race conditions. Use for assessing file upload endpoints in web app pentests or bug bounty.

## Trigger Phrases
Use this skill when the conversation involves any of:
`file upload, MIME bypass, extension bypass, magic byte, path traversal upload, SVG XSS, polyglot, upload bypass, malicious upload, web shell upload`

## Instructions for Claude

When this skill is active:
1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---

## Full Methodology

# File Upload Vulnerabilities

## Mechanisms

```mermaid
flowchart TD
    A[File Upload Vulnerabilities] --> B[Insufficient File Type Validation]
    A --> C[Improper Extension Handling]
    A --> D[Inadequate File Content Analysis]
    A --> E[Unsafe File Storage]
    A --> F[File Operation Mishandling]
    A --> G[Directory Traversal]
    A --> H[Race Conditions]

    B --> I[Remote Code Execution]
    C --> I
    D --> J[Client-Side Attacks]
    E --> I
    F --> K[Denial of Service]
    G --> L[Arbitrary File Access]
    H --> I
```

File upload vulnerabilities occur when web applications allow users to upload files without implementing proper validation, filtering, and handling mechanisms.
These vulnerabilities can lead to various attacks, ranging from simple web defacement to complete server compromise through remote code execution.

The core technical issues behind file upload vulnerabilities include:

- **Insufficient File Type Validation**: Failure to properly validate the actual content/type of uploaded files
- **Improper Extension Handling**: Not restricting dangerous file extensions or allowing easy bypasses
- **Inadequate File Content Analysis**: Not checking the actual file content versus relying only on extension or content-type
- **Unsafe File Storage**: Storing files in executable directories or with dangerous permissions
- **File Operation Mishandling**: Not securely handling file operations during the upload process
- **Directory Traversal Vulnerabilities**: Allowing manipulation of upload paths
- **Race Conditions**: Timing issues during validation and moving of uploaded files
- **Archive Extraction Flaws**: Insecure handling of archive formats like ZIP or TAR (e.g., Symlink abuse, Zip Slip)

File upload vulnerabilities can manifest in various upload functionality patterns:

- **Profile Picture Uploads**: Common in user profiles and social media
- **Document Repositories**: File sharing services and document management systems
- **Media Uploads**: Image, video, and audio uploaders
- **Bulk Import Features**: CSV, XML, and other data import functionality
- **Content Management Systems**: Templates, plugins, themes, and media libraries

## Hunt

### Identifying File Upload Vulnerabilities

#### Target Discovery

1. **Map File Upload Functionality**:
   - Profile picture uploads
   - Document/attachment uploads
   - Import/export features
   - Media galleries
   - CMS admin sections
   - Backup/restore features
   - Avatar/image uploads

2. **Identify Upload Processing Patterns**:
   - Client-side validation patterns (JavaScript checks)
   - Server-side validation indicators
   - File type restrictions mentioned in UI
   - Error messages related to file types

3. **Testing Prerequisites**:
   - Collection of test files (various formats)
   - Proxy for intercepting requests (Burp Suite, ZAP)
   - Web shells for testing execution
   - MIME-type tools for manipulation
   - Containerized/sandboxed converters ready for validation (e.g., bwrap/seccomp profiles)

#### Testing Methodologies

1. **Basic File Upload Testing**:
   - Test uploading standard expected files (baseline)
   - Attempt uploading executable file types (PHP, ASP, JSP, etc.)
   - Modify content-type headers during upload
   - Change file extensions after client-side validation

2. **Extension-Based Testing**:
   - Test alternate extensions for web shells:
     ```
     .php, .php3, .php4, .php5, .phtml, .phar, .phpt, .pht, .phps, .php2, .php6, .php7, .inc, .shtml, .pgif
     .asp, .aspx, .ashx, .asmx, .cer, .asa
     .jsp, .jspx, .jsw, .jsv, .jspf
     .cfm, .cfml, .cfc, .dbm (Coldfusion)
     .pl, .py, .rb, .cgi
     ```
   - Test double extensions:
     ```
     file.jpg.php
     file.php.jpg
     file.php.jpeg
     file.php%00.jpg  # Null byte (older versions)
     file.php%20.jpg  # URL encoded space
     file.php%0d%0a.jpg # CRLF injection
     file.php.blah123jpg # If regex is weak
     ```
   - Test case sensitivity bypass:
     ```
     file.PhP
     file.Php5
     file.AspX
     file.pHp
     file.pHP5
     file.PhAr
     ```
   - Test trailing characters/delimiters:
     ```
     file.php.....
     file.php/
     file.php.\
     file.php. # Trailing dot (Windows specific)
     file.php%20 # Trailing space
     file.php%09 # Trailing tab
     file.php%0a # Trailing newline
     file.php%0d # Trailing carriage return
     file.php::$DATA # NTFS Alternate Data Stream (Windows specific)
     file. # No extension
     .html # Just extension
     ```
   - Test filename manipulation:
     ```
     # Try to cut extension with max filename length limit
     # Try empty filename: .php
     # Send filename parameter twice: filename="allowed.jpg";filename="shell.php"
     ```

3. **Content-Type Testing**:
   - Modify the Content-Type header to bypass MIME validation:
     ```
     Content-Type: image/jpeg  # actua