Injection: Remote Code Execution via File Upload (Polyglot)¶
Identifier:
file_upload_rce
Scanner(s) Support¶
| GraphQL Scanner | REST Scanner | WebApp Scanner | ASM Scanner |
|---|---|---|---|
Description¶
Remote code execution via file upload (CWE-94 + CWE-434) occurs when an application accepts and serves files in a directory the underlying runtime treats as executable: PHP under Apache, classic ASP / web.config under IIS, .htaccess-driven MIME rewrites, or Java .jsp containers. A polyglot file (valid image header + appended interpreter source) bypasses naive MIME and magic-byte checks.
How we test: For each detected upload endpoint we submit a series of idempotent polyglot canaries: a GIF89a header followed by a harmless PHP echo of a per-scan canary token, an .htaccess with an AddType line scoped to a per-scan canary filename, a web.config, a .user.ini, and a ZIP polyglot. Each canary is designed to be inert: no shells, no filesystem writes, no privileged operations. Confirmation uses two independent signals - either is sufficient: (a) the retrieval response body reflects the static canary token (the interpreter executed our echo), or (b) the OOB collector at ssrf.tools.escape.tech receives a tagged callback. The canary token is unique per scan so cross-customer collisions are impossible.
Every probe emits a context.info event with the raw multipart request and the upload / retrieval response as attachments.
References:
- https://owasp.org/Top10/A03_2021-Injection/
- https://cwe.mitre.org/data/definitions/94.html
- https://cwe.mitre.org/data/definitions/434.html
Configuration¶
Example¶
Example configuration:
Reference¶
skip¶
Type : boolean
Skip the test if true.