File Upload Attacks
| Category | Command / File | Description |
|---|---|---|
| Client-Side Bypass | [CTRL+SHIFT+C] |
Toggle Page Inspector |
| Blacklist Bypass | shell.phtml |
Uncommon extension |
shell.pHp |
Case manipulation | |
| PHP Extensions | List of PHP extensions | |
| ASP Extensions | List of ASP extensions | |
| Web Extensions | List of web extensions | |
| Whitelist Bypass | shell.jpg.php |
Double extension |
shell.php.jpg |
Reverse double extension | |
%20, %0a, %00, %0d0a, /, .\, ., … |
Character injection (before/after extension) | |
| Content/Type Bypass | Content-Types | List of all content-types |
| File Signatures | List of file signatures / magic bytes | |
| Limited Uploads | XSS | HTML, JS, SVG, GIF |
| XXE / SSRF | XML, SVG, PDF, PPT, DOC | |
| DoS | ZIP, JPG, PNG |
Gopherus
Gopher payload generator