Back to Details

upload-insecure-files

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: Upload Insecure Files — Validation Bypass, Storage Abuse, and Processing Chains

SKILL: 不安全文件上传 —— 校验绕过、存储滥用与处理链利用

AI LOAD INSTRUCTION: Expert file upload attack playbook. Use when the target accepts files, imports, avatars, media, documents, or archives and you need the full workflow: validation bypass, storage path abuse, post-upload access, parser exploitation, multi-tenant overwrite, and chaining into XSS, XXE, CMDi, traversal, or business logic impact. For web server parsing vulnerabilities, PUT method exploitation, and specific CVEs (WebLogic, Flink, Tomcat), load the companion SCENARIOS.md.
AI 加载指引:专家级文件上传攻击操作手册。当目标支持接收文件、导入内容、头像、媒体、文档或压缩包,且你需要完整的攻击工作流时使用:校验绕过、存储路径滥用、上传后访问、解析器利用、多租户覆盖,以及链式利用实现XSS、XXE、CMDi、路径遍历或业务逻辑影响。如需了解Web服务器解析漏洞、PUT方法利用以及特定CVE(WebLogic、Flink、Tomcat),请加载配套文档 SCENARIOS.md

0. RELATED ROUTING

0. 关联参考路径

Extended Scenarios

扩展场景

Also load SCENARIOS.md when you need:
  • IIS parsing vulnerabilities — 
    x.asp/
    directory parsing, 
    ;
    semicolon truncation (
    shell.asp;.jpg
    )
  • Nginx parsing misconfiguration — 
    avatar.jpg/.php
    with 
    cgi.fix_pathinfo=1
  • Apache parsing — multiple extensions, 
    AddHandler
    , CVE-2017-15715 
    \n
    (0x0A) bypass
  • PUT method exploitation — IIS WebDAV PUT+COPY, Tomcat CVE-2017-12615 
    readonly
    + 
    .jsp/
    bypass
  • WebLogic CVE-2018-2894 arbitrary file upload via Web Service Test Page
  • Apache Flink CVE-2020-17518 file upload with path traversal
  • Upload + parsing vulnerability chain — EXIF PHP code + Nginx 
    /.php
    path info
  • Full extension bypass reference table (PHP/ASP/JSP alternatives, case variations, null bytes)
Use this file as the deep upload workflow reference. Also load:
  • path traversal lfi when filename, extraction path, or include path becomes file-system control
  • xss cross site scripting when uploads are rendered in browser contexts
  • xxe xml external entity when SVG, OOXML, or XML imports are accepted
  • cmdi command injection when a processor, converter, or media pipeline executes system tools
  • business logic vulnerabilities when quotas, overwrite rules, approvals, or storage paths create logic bugs
当你需要以下内容时也请加载 SCENARIOS.md
  • IIS 解析漏洞 —— 
    x.asp/
    目录解析、
    ;
    分号截断(
    shell.asp;.jpg
  • Nginx 解析配置错误 —— 搭配 
    cgi.fix_pathinfo=1
    avatar.jpg/.php
    利用
  • Apache 解析 —— 多扩展名、
    AddHandler
    配置、CVE-2017-15715 
    \n
    (0x0A)绕过
  • PUT 方法利用 —— IIS WebDAV PUT+COPY、Tomcat CVE-2017-12615 
    readonly
    + 
    .jsp/
    绕过
  • WebLogic CVE-2018-2894 通过Web服务测试页面实现任意文件上传
  • Apache Flink CVE-2020-17518 带路径遍历的文件上传漏洞
  • 上传+解析漏洞利用链 —— EXIF嵌入PHP代码 + Nginx 
    /.php
    path info 利用
  • 完整扩展名绕过参考表(PHP/ASP/JSP替代扩展名、大小写变体、空字节绕过)
本文档作为深层上传工作流参考,你还可以加载以下相关文档:
  • 路径遍历与本地文件包含:当文件名、解压路径或包含路径可被文件系统控制时使用
  • XSS跨站脚本:当上传内容会在浏览器上下文渲染时使用
  • XXE XML外部实体注入:当目标支持接收SVG、OOXML或XML导入时使用
  • CMDi命令注入:当处理器、转换器或媒体流水线会执行系统工具时使用
  • 业务逻辑漏洞:当配额、覆盖规则、审批流程或存储路径存在逻辑缺陷时使用

1. CORE MODEL

1. 核心模型

Every upload feature should be tested as four separate trust boundaries:
  1. Accept: what validation happens before the file is stored?
  2. Store: where is the file written and under what name and permissions?
  3. Process: what background tools, converters, scanners, parsers, or extractors touch it?
  4. Serve: how is it later downloaded, rendered, transformed, or shared?
Many targets validate only one stage. The bug usually appears in a different stage than the one where the file was uploaded.
每个上传功能都应该作为四个独立的信任边界进行测试:
  1. 接收阶段:文件存储前会进行哪些校验?
  2. 存储阶段:文件被写入到什么位置?使用什么文件名和权限?
  3. 处理阶段:哪些后台工具、转换器、扫描器、解析器或提取器会处理该文件?
  4. 分发阶段:后续文件会如何被下载、渲染、转换或共享?
很多目标仅对其中一个阶段做校验,漏洞通常出现在与上传阶段不同的其他环节。

2. RECON QUESTIONS FIRST

2. 优先完成信息收集

Before payload selection, answer these:
  • Which extensions are allowed, denied, or normalized?
  • Does the backend trust extension, MIME type, magic bytes, or all three?
  • Is the file renamed, transcoded, unzipped, scanned, or re-hosted?
  • Is retrieval direct, proxied, signed, or served from a CDN?
  • Can one user predict or overwrite another user's file path?
  • Do filenames, metadata, or previews reflect back into HTML, logs, admin consoles, or PDFs?
在选择Payload之前,先明确以下问题:
  • 允许、禁止或标准化处理的扩展名有哪些?
  • 后端是信任扩展名、MIME类型、Magic Bytes,还是三者都校验?
  • 文件会被重命名、转码、解压、扫描还是重新托管?
  • 文件获取方式是直接访问、代理访问、签名URL还是从CDN分发?
  • 一个用户是否可以预测或覆盖另一个用户的文件路径?
  • 文件名、元数据或预览内容是否会回显到HTML、日志、管理控制台或PDF中?

3. VALIDATION BYPASS MATRIX

3. 校验绕过矩阵

Validation StyleWhat to Test
extension blacklistdouble extension, case toggles, trailing dot, alternate separators
content-type onlymismatched multipart 
Content-Type
, browser vs proxy rewrite
magic-byte onlypolyglot files or valid header plus dangerous tail content
server-side renamewhether dangerous content survives rename and later rendering
image-only policySVG, malformed image plus metadata, parser differential
archive or import onlyzip contents, nested path names, XML members, decompression behavior
Representative bypass families:
text
shell.php.jpg
avatar.jpg.php
file.asp;.jpg
file.php%00.jpg
file.svg
archive.zip
这组小样本已经覆盖了原本单独 upload payload helper 的主要用途,不再需要额外入口来做第一轮选型。
Do not stop at upload success. Successful upload without dangerous retrieval or processing is not enough.
校验类型测试内容
扩展名黑名单双扩展名、大小写切换、尾部点号、替代分隔符
仅校验Content-Type不匹配的multipart 
Content-Type
、浏览器与代理重写差异
仅校验Magic BytesPolyglot混合格式文件、合法头部加危险尾部内容
服务端重命名危险内容是否会在重命名后留存并在后续渲染时触发风险
仅允许图片策略SVG、带元数据的畸形图片、解析器差异利用
仅允许压缩包或导入文件压缩包内容、嵌套路径名、XML成员、解压行为
典型绕过Payload类别:
text
shell.php.jpg
avatar.jpg.php
file.asp;.jpg
file.php%00.jpg
file.svg
archive.zip
这组小样本已经覆盖了原本单独 upload payload helper 的主要用途,不再需要额外入口来做第一轮选型。
不要在上传成功后就停止测试,仅上传成功但没有危险的访问或处理链路是没有利用价值的。

4. STORAGE AND RETRIEVAL ABUSE

4. 存储与访问滥用

Predictable or controllable paths

可预测或可控路径

Look for patterns like:
text
/uploads/USER_ID/avatar.png
/files/org-slug/report.pdf
/cdn/tmp/<uuid>/<filename>
Test for:
  • cross-tenant read by guessing IDs, slugs, or UUID patterns
  • overwrite by reusing another user's filename
  • path normalization bugs in filename or archive members
  • private file exposed through direct object URL despite UI-level access control
寻找类似以下的路径模式:
text
/uploads/USER_ID/avatar.png
/files/org-slug/report.pdf
/cdn/tmp/<uuid>/<filename>
测试以下场景:
  • 通过猜测ID、slug或UUID模式实现跨租户读取
  • 通过复用其他用户的文件名实现覆盖
  • 文件名或压缩包成员的路径规范化缺陷
  • 尽管UI层面有访问控制,私有文件仍可通过直接对象URL访问

Filename-based injection surfaces

基于文件名的注入面

A safe file can still be dangerous if the filename is reflected into:
  • gallery HTML
  • admin moderation panels
  • PDF/CSV export jobs
  • logs, audit views, or email notifications
If filename is reflected, treat it like stored input, not like passive metadata.
如果文件名会回显到以下位置,即使是安全的文件也可能存在风险:
  • 相册HTML页面
  • 管理审核面板
  • PDF/CSV导出任务
  • 日志、审计视图或邮件通知
如果文件名会被回显,将其视为存储型输入而非被动元数据处理。

5. PROCESSING-CHAIN ATTACKS

5. 处理链攻击

The highest-value upload bugs often live in asynchronous processors.
最高价值的上传漏洞通常存在于异步处理器中。

Common processor classes

常见处理器类别

ProcessorRisk
image resizing or thumbnailingparser differential, ImageMagick or library bugs, metadata reflection
video or audio transcodingFFmpeg-style parsing and protocol abuse
archive extractionzip slip, overwrite, decompression bombs
document importCSV formula injection, office XML parsing, macro-adjacent workflows
XML or SVG parsingXXE, SSRF, local file disclosure
HTML to PDF or preview renderingSSRF, script execution, local file references
AV or DLP scanningunzip depth, hidden nested content, race conditions
处理器风险
图片缩放或缩略图生成解析器差异、ImageMagick或依赖库漏洞、元数据回显
音视频转码FFmpeg类解析与协议滥用
压缩包解压Zip Slip、文件覆盖、解压炸弹
文档导入CSV公式注入、Office XML解析、类宏工作流风险
XML或SVG解析XXE、SSRF、本地文件泄露
HTML转PDF或预览渲染SSRF、脚本执行、本地文件引用
杀毒或DLP扫描解压深度限制、隐藏嵌套内容、竞争条件

What to prove

需要验证的点

  1. The file is touched by a processor.
  2. The processor behaves differently from the upload validator.
  3. That difference creates impact: read, execute, overwrite, SSRF, or stored client-side execution.
  1. 该文件会被处理器处理
  2. 处理器的行为与上传校验器的行为存在差异
  3. 该差异会产生安全影响:读取、执行、覆盖、SSRF或存储型客户端执行

6. HIGH-VALUE EXPLOITATION PATHS

6. 高价值利用路径

Browser execution

浏览器端执行

  • SVG served as active content
  • HTML or text uploads rendered inline
  • EXIF or filename reflected into an HTML page
  • SVG作为活动内容分发
  • HTML或文本上传内容被内联渲染
  • EXIF或文件名回显到HTML页面

XML and document parsing

XML与文档解析

  • SVG XXE for file read or SSRF
  • OOXML import for XML entity or parser abuse
  • CSV import for formula execution in analyst workflows
  • 利用SVG XXE实现文件读取或SSRF
  • OOXML导入实现XML实体或解析器滥用
  • CSV导入在分析师工作流中触发公式执行

Server-side execution or file-system impact

服务端执行或文件系统影响

  • image or document converter invoking shell tools
  • zip slip writing outside intended directory
  • upload-to-LFI chain where uploaded content later becomes includable
  • 图片或文档转换器调用Shell工具
  • Zip Slip写入到预期目录之外
  • 上传到LFI的利用链:上传内容后续可被包含执行

Access-control and sharing bugs

访问控制与共享漏洞

  • private upload accessible via predictable URL
  • moderation or quarantine path still publicly reachable
  • one user replacing another user's public asset
  • 私有上传内容可通过可预测URL访问
  • 审核或隔离路径仍可公开访问
  • 一个用户可以替换另一个用户的公开资源

7. AUTHORIZATION AND BUSINESS LOGIC CHECKS

7. 权限与业务逻辑检查

Upload features frequently hide non-parser bugs:
  • upload quota enforced in UI but not API
  • plan restrictions checked on upload page but not on import endpoint
  • file ownership checked on list view but not on direct download or replace endpoint
  • approval workflow bypassed by calling the final storage endpoint directly
  • delete or replace action missing object-level authorization
When the upload path includes account, project, or organization identifiers, always run an A/B authorization test.
上传功能经常隐藏非解析类漏洞:
  • 上传配额仅在UI层面校验,API层面未校验
  • 套餐限制仅在上传页面检查,导入端点未检查
  • 文件所有权仅在列表视图检查,直接下载或替换端点未检查
  • 通过直接调用最终存储端点绕过审批工作流
  • 删除或替换操作缺少对象级权限校验
当上传路径包含账户、项目或组织标识时,始终执行A/B权限测试。

8. TEST SEQUENCE

8. 测试流程

  1. Upload one benign marker file and map rename, path, and retrieval behavior.
  2. Try one validation-bypass sample and one active-content sample.
  3. Check whether retrieval is attachment, inline render, transformed preview, or background processing.
  4. If processing exists, pivot by processor family: XSS, XXE, CMDi, zip slip, or SSRF.
  5. Run tenant-boundary and overwrite tests on file IDs, replace endpoints, and public URLs.
  1. 上传一个 benign 标记文件,梳理重命名、路径和访问行为
  2. 尝试一个校验绕过样本和一个活动内容样本
  3. 检查文件访问方式是附件下载、内联渲染、转换预览还是后台处理
  4. 如果存在处理环节,根据处理器类别切换测试方向:XSS、XXE、CMDi、Zip Slip或SSRF
  5. 对文件ID、替换端点和公开URL执行租户边界与覆盖测试

9. CHAINING MAP

9. 利用链映射

ObservationPivot
SVG or XML acceptedxxe xml external entity
filename or metadata reflectedxss cross site scripting
converter or processor shells outcmdi command injection
extraction path looks controllablepath traversal lfi
overwrite, quota, approval, or tenant bugbusiness logic vulnerabilities
观察到的现象切换到对应测试方向
支持接收SVG或XMLXXE XML外部实体注入
文件名或元数据会被回显XSS跨站脚本
转换器或处理器会调用ShellCMDi命令注入
解压路径看起来可控路径遍历与本地文件包含
存在覆盖、配额、审批或租户漏洞业务逻辑漏洞

10. OPERATOR CHECKLIST

10. 测试人员检查清单

text
[] Confirm accept/store/process/serve stages separately
[] Test one extension bypass and one content-based payload
[] Check inline render vs forced download
[] Inspect filenames, metadata, and preview surfaces for reflection
[] Probe processing chain: image, archive, XML, document, PDF
[] Run A/B authorization on read, replace, delete, and share actions
[] Map predictable paths and public/private URL boundaries
text
[] 分别验证接收/存储/处理/分发四个阶段
[] 测试一个扩展名绕过Payload和一个基于内容的Payload
[] 检查内联渲染与强制下载的差异
[] 排查文件名、元数据和预览面的回显风险
[] 探测处理链:图片、压缩包、XML、文档、PDF
[] 对读取、替换、删除和共享操作执行A/B权限测试
[] 梳理可预测路径与公开/私有URL边界

11. UPLOAD SUCCESS RATE MODEL & ADVANCED METHODOLOGY

11. 上传成功率模型与高级方法论

Success Rate Formula

成功率公式

P(RCE via Upload) = P(bypass_detection) × P(obtain_path) × P(execute_via_webserver)
Many testers focus only on bypassing file type checks, but forget:
  • Path discovery: Without knowing the upload path, even a successful bypass is useless
  • Server parsing: Even with a 
    .php
    file uploaded, if the web server doesn't parse it as PHP, no RCE
P(通过上传实现RCE) = P(绕过检测) × P(获取存储路径) × P(通过Web服务器执行)
很多测试人员仅关注绕过文件类型检查,却忽略了:
  • 路径发现:不知道上传路径的话,即使绕过校验也没有价值
  • 服务端解析:即使上传了
    .php
    文件,如果Web服务器不将其解析为PHP,也无法实现RCE

Rich Text Editor Path Matrix

富文本编辑器路径矩阵

EditorCommon Upload PathVersion Indicator
FCKeditor
/fckeditor/editor/filemanager/connectors/
/fckeditor/_whatsnew.html
CKEditor
/ckeditor/
/ckeditor/CHANGES.md
eWebEditor
/ewebeditor/
Admin: 
/ewebeditor/admin_login.asp
KindEditor
/kindeditor/attached/
/kindeditor/kindeditor.js
UEditor
/ueditor/net/
or 
/ueditor/php/
/ueditor/ueditor.config.js
编辑器常见上传路径版本标识路径
FCKeditor
/fckeditor/editor/filemanager/connectors/
/fckeditor/_whatsnew.html
CKEditor
/ckeditor/
/ckeditor/CHANGES.md
eWebEditor
/ewebeditor/
后台:
/ewebeditor/admin_login.asp
KindEditor
/kindeditor/attached/
/kindeditor/kindeditor.js
UEditor
/ueditor/net/
/ueditor/php/
/ueditor/ueditor.config.js

Validation Defect Taxonomy (5 Dimensions)

校验缺陷分类(5个维度)

DimensionFlaw Examples
LocationClient-side only, inconsistent front/back
MethodExtension blacklist (incomplete), MIME check only, magic bytes only
Logic orderRenames AFTER execution check, validates BEFORE full upload
ScopeChecks filename but not file content, checks first bytes only
Execution contextUpload succeeds but different vhost/handler processes the file
维度缺陷示例
位置仅客户端校验、前后端校验逻辑不一致
方法扩展名黑名单不完整、仅校验MIME类型、仅校验Magic Bytes
逻辑顺序执行检查之后再重命名、全量上传完成前就完成校验
范围仅校验文件名不校验文件内容、仅校验文件前几个字节
执行上下文上传成功但文件由不同的虚拟主机/处理器处理

Response Manipulation Bypass

响应篡改绕过

undefined
undefined

If server returns allowedTypes in response for client-side validation:

如果服务器在响应中返回allowedTypes供客户端校验:

Intercept response → modify allowedTypes to include .php → upload .php

拦截响应 → 修改allowedTypes添加.php扩展名 → 上传.php文件

The server never actually validates — it trusts client filtering

服务端实际不会做校验,完全信任客户端的过滤结果

undefined
undefined

IIS Semicolon Parsing

IIS 分号解析漏洞

undefined
undefined

IIS treats semicolon as parameter delimiter in filenames:

IIS将文件名中的分号视为参数分隔符:

shell.asp;.jpg → IIS executes as ASP
shell.asp;.jpg → IIS会将其作为ASP文件执行

NTFS Alternate Data Stream:

NTFS交换数据流:

shell.asp::$DATA → Bypasses extension check, IIS may execute
undefined
shell.asp::$DATA → 绕过扩展名检查,IIS可能会执行该文件
undefined

Apache Multi-Extension

Apache 多扩展名解析

undefined
undefined

Apache parses right-to-left for handler:

Apache从右到左匹配处理器:

shell.php.jpg → May execute as PHP if AddHandler php applies
shell.php.jpg → 如果配置了AddHandler php规则,可能会作为PHP执行

Newline in filename (CVE-2017-15715):

文件名中的换行符(CVE-2017-15715):

shell.php\x0a → Bypasses regex but Apache still executes as PHP
undefined
shell.php\x0a → 绕过正则校验,但Apache仍会将其作为PHP执行
undefined

Nginx cgi.fix_pathinfo

Nginx cgi.fix_pathinfo 漏洞

undefined
undefined

With cgi.fix_pathinfo=1 (PHP-FPM):

当配置cgi.fix_pathinfo=1(PHP-FPM)时:

/uploads/image.jpg/anything.php → PHP processes image.jpg as PHP!
/uploads/image.jpg/anything.php → PHP会将image.jpg作为PHP文件处理!

Upload legitimate-looking JPG with PHP code embedded

可以上传嵌入PHP代码的正常外观JPG文件利用该漏洞

undefined
undefined