Bypassing Modern File Upload Protections with a Multi-Headed File
The target was a job recruitment platform. They allowed users to upload resumes, proudly displaying a banner: “All files are scanned for viruses!” I knew they’d be checking for .php and .exe extensions. My goal was deeper. I didn't want to upload a shell; I wanted to upload a resume that was also a shell. By crafting a perfectly malicious polyglot file—a PDF that was simultaneously a valid PHP script—I bypassed their entire security stack. The result was remote code execution and a $4000 bounty. This is the art of the file format polyglot.
Press enter or click to view image in full size
Beyond the Extension: The Modern File Upload Landscape
Basic extension blacklists are obsolete. Modern defenses involve:
- Content-Type Verification: Checking the
Content-Typeheader (e.g.,application/pdf). - Magic Number Validation: Reading the first few bytes of the file to verify its signature (e.g.,
%PDF-for PDFs). - Content Sanitization: Attempting to parse the file and remove potentially malicious elements.
- Virus Scanning: Using AV engines to…