FILE UPLOAD ATTACKS: Blacklist Filters

Hello everyone!
Faced issue when can’t pass this task. What was done:

  • Created file for injection to know where is page:
<?php echo 'Backdoor is here!!!'; ?>
  • Intercepted request with Burp → go to Intruder. Tried all php extentions: php, phps, php3, php4, php5, phtml, phtm. Only php, phps, php5 and phtml are blocked on the server. Tried to use others - file uploads, but page doesn’t show my output → file is there but doesn’t execute on server

  • Tried Intruder with other methods: pHp, php%00, php\x00 - doesn’t work and I don’t know how to send requests for files with %00 extention, etc…

Do you have any hints/ideas what to try and what I’m doing wrong?


Hope you got the answer by now… Just incase you haven’t try and make use of the cheat sheet resources.

PHP Extensions

Make use of this extension list as your intruder payload. Also make sure to untick URL encoding. After uploading you can use intruder again to look for the files you have uploaded. See which extension gives you back the result you were expecting.

Hope this is helpful…
Happy Hacking!!!


Thank you for a good tip!
My error was in not using this list + I haven’t used Intruder during perform of GET request. Now found working extention, thank you :slight_smile:

1 Like

hey i am curious what you mean by “intruder with GET request” because i am only seeing a POST being able to be run the attack on. Also i am having trouble, i used the list he said and i am still not seeing them reflected in the server.

We’re using POST request to upload our file, but to exploit it, we have to use GET request with path to our file.
Please describe how you’re using Burp, have you disabled URL encoding of request, etc
For me, the biggest problem was there :slight_smile: Php extention can be easily found from that list above or you can create that list with additional characters as in my first message in the thread


I have identified the extension, which are not blocked, but the PHP code is not executing, could please give me some hint.

1 Like

I had a lot of problems with this task. Eventually, after many resets of the machine, it started working.

If anybody is stuck, I will try to assist you. Just shoot me a message.


I’m confused. I fuzzed with ffuf and Burp and I tired different extensions



I was able to upload them but they couldn’t be executed.


shell1.php.jpg?cmd=id” cannot be displayed because it contains errors.

I am also getting the same issue, after fuzz the extensions, so many successful extensions is getting uploaded but when we call the file, the file is downloading instead of executing PHP code, I tried with PHP hello world code also.

<?php echo "Hello world" ?>

The file is uploading but not executing the PHP code, I tried so many times from so many days but still I am getting same issue.

Same issue here. When I upload the file with a good extension, the response doesn’t execute php code, only show the php code.

Can anyone give me a hint? upload icon is always greyed out even when using extensions that shouldnt be blocked like pgif

I don’t see any way to do that as there aren’t any GET requests that allow for you to point to a file. I don’t see how you’re able to do that in this situation. When you upload a file, it generates a POST request only. Where are you getting your GET request from?

The easiest way to do this is that once you have the responses that give a length of 193, just use the browser to constantly change to one of those extensions. Keep adjusting the extension until you hit the right one. There is one that doesn’t print the command on the page.

For some reason I’m able to upload a lot of different extensions, but when I go to the directory and try to run any command with “?cmd=” I just don’t get any output back.

try with .phar

Yeah, I was just not in the mood to go at each successful upload request to check if it gave me a working webshell.

Even if your files (PHP types in this case) gets uploaded, there is still cases where it won’t get executed. So once you’ve worked on bypassing the upload restrictions, you’ve got to work on fuzzing for finding the extensions that actually execute the file.