> For the complete documentation index, see [llms.txt](https://heinosass.gitbook.io/leet-sheet/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://heinosass.gitbook.io/leet-sheet/web-app-hacking/server-attacks/page-3.md). # Unrestricted File Upload Unrestricted File Upload is a security vulnerability where an attacker can upload arbitrary files with attacker-controlled content, potentially to arbitrary locations. Unrestricted file upload may be used to get: * Remote Code Execution * Especially in PHP and similar languages, since uploaded files may commonly be parsed by the server if navigated to it. * When the web application runs under root and you can use path traversal to specify the directory to upload to. In that case, upload a file to `/etc/cron.d` in the correct format and it will get executed. * Cross-Site Scripting, if you can add or overwrite a file that contains HTML * XML External Entities: If the website uses an insecure XML parser, then you might be able to exploit an XXE vulnerability by getting the insecure parser to parse a malicious XML file. In that case, the file upload vulnerability can be used to smuggle a malicious XML file onto the web server for exploitation. ## Bypass Mitigations ### Bypass MIME Type Check If the MIME type is checked by the target application, then use Burp Suite to change the MIME type to the correct value. ### Bypass Image Validity Check If the image is checked for validity using an image library, then you can still produce a valid image that has malicious data in embedded in it. This is useful in PHP applications, for example. If you can upload a `.php` file with PHP code embedded in it, then that might lead to RCE. This can be done using `jhead`. {% embed url="" %} First, clear the headers of an existing `myfile.jpg` file: ``` jhead -purejpg myfile.jpg ``` Add an EXIF comment and write PHP code there: ``` jhead -ce myfile.jpg ``` Example code: ``` ``` *Note: The `__halt_compiler()` prevents the image bytes from getting executed.* --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://heinosass.gitbook.io/leet-sheet/web-app-hacking/server-attacks/page-3.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.