Bypassing File Upload Restrictions

Common techniques to bypass File upload restrictions on web sites.

  • Change the Content-Type parameter in the request header using Burp, ZAP etc.
  • Put server executable extensions like file.php5, file.shtml, file.asa, file.cert
  • Changing letters to capital form file.aSp or file.PHp3
  • Using trailing spaces and/or dots at the end of the filename like file.asp… … . . .. .. , file.asp , file.asp.
  • Use of semicolon after the forbidden extension and before the permitted extension example: file.asp;.jpg (Only in IIS 6 or prior)
  • Upload a file with 2 extensions—> file.php.jpg
  • Use of null character e.g  file.asp%00.jpg
  • Create a file with a forbidden extension e.g. file.asp:.jpg or file.asp::$data

When Both MOVE and PUT HTTP Methods is available

Create payload and rename to .txt:

Upload file via Curl and PUT Method:

From ZAP or Burp rename/move the file to shell443.asp;.jpg where jpg is allowed:

Accept: */ *
Destination: /shell443.asp;.jpg
Overwrite: F
Content-Length: 0