Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

[Koorosh Sanaei Machinegun-]

Upload_Bypass is a command-line tool that automates discovering and exploiting weak file upload filters. If you’re tired of manually renaming extensions and tweaking payloads by hand, this tool does the dirty work.

 

File upload restrictions are one of the last lines of defence in many web apps and one of the most misunderstood.

Some developers rely on MIME type checks. Others try to validate file extensions. A few go the extra mile with content inspection. But as any decent pentester knows, there’s almost always a way in.

---

What Is Upload_Bypass?

Upload_Bypass is a Python-based tool built by sAjibuu that helps bypass file upload protections commonly seen in CTFs, bug bounty targets, and poorly configured web apps.

Instead of endlessly trying variations like shell.php, shell.php5, or shell.jpg.php, you can throw your file at Upload_Bypass and let it rip through automated filter evasion techniques, including:

• Filename and extension variations
• MIME type spoofing
• Header manipulation
• Extension appending (.jpg;.php)
• Uploading polyglot files (e.g. image + PHP)

---

Why This Matters

Improper file upload validation is one of the most common paths to remote code execution (RCE).
Once you can smuggle a malicious file onto a server, you’ve got the ability to:

• Drop webshells
• Execute arbitrary code
• Establish persistence
• Escalate privilege (depending on misconfig)

It’s one of the highest-ROI vulnerabilities in both offensive security and bug bounty hunting.

---

Features

• Automatically tests multiple upload bypass payloads
• Supports common web extensions (.php, .asp, .jsp, .html)
• Smart payload renaming and MIME spoofing
• Verbose output to show what worked and what didn’t
• Designed for CTF players, bug bounty hunters, and red teamers
• Clean and hackable Python source

---

Installation

Simple setup on any system with Python 3:

 

git clone https://github.com/sAjibuu/Upload_Bypass.git cd Upload_Bypass pip install -r requirements.txt python3 Upload_Bypass.py

Example Usage

Upload_Bypass is interactive. You’ll be prompted to:

• Select the file you want to upload
• Choose the output folder
• Pick target extension (e.g. .php)
• Specify the platform (web, mobile, ctf, etc.)

Usage options:

 

Usage: Upload Bypass [OPTIONS]   Options:   -h, --help     Print help (see more with '--help')   -U, --usage   Print the how to save the request file instructions.   -v, --version  Print version   Required Arguments:   -r, --request_file <REQUEST_FILE>    Provide a request file to be proccessed   -E, --extension    <EXTENSION>       Forbidden extension to check (ex: php)   -A, --allowed      <EXTENSION>       Allowed extension (ex: jpeg) - Optional - if not set the program will auto-detect the extension     Choose only one from the options below:   -s, --success      <MESSAGE>         Provide a success message when a file is uploaded (ex: File was uploaded successfully)   -f, --failure      <MESSAGE>         Provide a failure message when a file is uploaded (ex: File is not allowed!)   -S, --status_code  <STATUS_CODE>     Provide a status code for a success upload (ex: 200)   Mode Settings:   -d, --detect          Upload harmless sample files (Suitable for a real penetration test)   -e, --exploit         Upload Web-Shells files when testing   -a, --anti_malware    Upload Anti-Malware Test file (Eicar) when testing       I.  If set with -E flag the program will test with the Eicar string along with the choosen extension       II. If set without the -E flag the program will test with Eicar string and a com extension   Modules Settings:       -l, --list            List all modules     -i, --include_only <MODULES>   Include only modules to test from (ex: extension_shuffle, double_extension)   -x, --exclude      <MODULES>   Exclude modules (ex: svg_xxe, svg_xss)   Request Settings:   --base64              Encode the file data with Base64 algorithm   --allow_redirects     Follow redirects   -P, --put             Use the HTTP PUT method for the requests (Default is POST)   -Pa, --patch          Use the HTTP Patch method for the requests (Default is POST)   -R, --response        Print the response to the screen   -c, --continue        Continue testing all files, even if a few uploads encountered success   -t, --time_out <NUM>  Set the request timeout (Default is 8)   -rl, --rate_limit <NUMBER>  Set a rate-limit with a delay in milliseconds between each request   Proxy Settings:   -p, --proxy <PROXY>   Proxy to use for requests (ex: http(s)://host:port, socks5(h)://host:port)   -k, --insecure        Do not verify SSL certificates   --burp_http           Set --proxy to 127.0.0.1:8080 and set --insecure to true (For HTTP requests)   --burp_https          Set --proxy to 127.0.0.1:8080 and set --insecure to false (For HTTPs requests)   Optional Settings:   -D, --upload_dir <UPLOAD_DIR>  Provide a remote path where the Web-Shell should be uploaded (ex: /uploads)   -o, --output  <OUTPUT_PATH>    Output file to write the results into - Default current directory (ex: ~/Desktop/results.txt)   --debug  <NUM>                 Debug mode - Print the stack trace error to the screen and save it to a file (ex: --debug 1)       I.  Level 1 - Saves only the stack trace error (default).       II. Level 2 - Saves the stack trace error and user's arguments along with the request file.    Resume settings:   --resume  <STATE_FILE>  State file from which to resume a partially complete scan   Update settings:   -u, --update  Update the program to the latest version

The tool then generates a directory of modified versions of your original payload, each crafted to evade upload filters using different strategies.

Test them manually or script uploads using Burp or cURL to see what slips past.

---

Final Thoughts

Upload_Bypass doesn’t promise magic—it doesn’t brute force login portals or drop zero-days.
But it does exactly what it says: it it helps you bypass upload restrictions between you and shell access.

If you’re tired of trying every bypass method manually, let Upload_Bypass do it for you—with better consistency and less risk of human error.

Drop in your payload, choose your options, and go find the filter that fails.

You can download Upload_Bypass or read more here:

https://github.com/sAjibuu/Upload_Bypass