{"id":28453753,"url":"https://github.com/0xricksanchez/upfuzz","last_synced_at":"2025-10-10T09:35:43.290Z","repository":{"id":294819536,"uuid":"988149830","full_name":"0xricksanchez/upfuzz","owner":"0xricksanchez","description":"The Ultimate File Upload Bypass Generator","archived":false,"fork":false,"pushed_at":"2025-06-20T16:07:42.000Z","size":1592,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-28T05:34:42.749Z","etag":null,"topics":["bugbounty","file-inclusion","file-upload","fuzzing","penetration-testing","xxe","xxe-payloads"],"latest_commit_sha":null,"homepage":"https://github.com/0xricksanchez/upfuzz","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xricksanchez.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-05-22T06:06:21.000Z","updated_at":"2025-06-20T16:07:45.000Z","dependencies_parsed_at":"2025-06-28T05:42:14.225Z","dependency_job_id":null,"html_url":"https://github.com/0xricksanchez/upfuzz","commit_stats":null,"previous_names":["0xricksanchez/upfuzz"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/0xricksanchez/upfuzz","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xricksanchez%2Fupfuzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xricksanchez%2Fupfuzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xricksanchez%2Fupfuzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xricksanchez%2Fupfuzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xricksanchez","download_url":"https://codeload.github.com/0xricksanchez/upfuzz/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xricksanchez%2Fupfuzz/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270653606,"owners_count":24622795,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-15T02:00:12.559Z","response_time":110,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bugbounty","file-inclusion","file-upload","fuzzing","penetration-testing","xxe","xxe-payloads"],"created_at":"2025-06-06T18:30:36.787Z","updated_at":"2025-10-10T09:35:43.221Z","avatar_url":"https://github.com/0xricksanchez.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"img/logo.png\" alt=\"UpFuzz Logo\" width=\"300\"/\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003eUpFuzz\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eThe Ultimate File Upload Bypass Generator\u003c/strong\u003e\n  \u003cbr /\u003e\n  UpFuzz is a comprehensive Python tool that generates thousands of file extension combinations designed to bypass upload filters and security controls.\n  Perfect for penetration testing, bug bounty hunting, and security assessments.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/0xricksanchez/upfuzz/blob/main/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/github/license/0xricksanchez/upfuzz\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://python.org\"\u003e\u003cimg src=\"https://img.shields.io/badge/python-3.11%2B-blue\" alt=\"Python Version\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/0xricksanchez/joomla_brute/releases\"\u003e\u003cimg src=\"https://img.shields.io/badge/version-v1.0-red\" alt=\"Tool Version\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n## 🎯 Features\n\n- **Smart Extension Generation**: Creates comprehensive lists with double extensions, null bytes, case variations, and encoding bypasses\n- **Content-Type Recommendations**: Suggests optimal MIME types for each extension pattern\n- **Specialized Attack Presets**: Ready-made configurations for PHP, ASP, JSP, XXE, XSS, and more\n- **Multiple Output Formats**: Plain text lists or detailed JSON with metadata\n- **Burp Suite Ready**: Generate wordlists perfect for Intruder attacks\n\n## 🚀 Quick Start\n\n### Basic Usage\n```bash\n# Generate PHP upload bypasses\npython3 upfuzz.py --preset php\n\n# XXE-focused extensions for XML/SVG testing  \npython3 upfuzz.py --preset xxe\n\n# Comprehensive web application testing\npython3 upfuzz.py --preset web --output extensions.txt\n```\n\n### Custom Generation\n```bash\n# Custom malicious + benign extensions\npython3 upfuzz.py --malicious .php,.jsp --benign .jpg,.png,.gif\n\n# With custom delimiters\npython3 upfuzz.py --preset php --delimiters \",%00,.,%20\"\n```\n\n## 📋 Available Presets\n\n| Preset | Description | Use Case |\n|--------|-------------|----------|\n| `web` | PHP, ASP, JSP extensions | General web app testing |\n| `php` | Core PHP extensions | PHP application focus |\n| `php-comprehensive` | All PHP variants | Exhaustive PHP testing |\n| `asp` | ASP/ASPX extensions | Windows/IIS applications |\n| `jsp` | Java Server Pages | Java web applications |\n| `xxe` | XML/SVG/XSL extensions | XXE vulnerability testing |\n| `xss` | SVG/HTML/XML extensions | XSS via file upload |\n| `coldfusion` | ColdFusion extensions | Adobe ColdFusion apps |\n| `scripting` | Perl, Python, Ruby, etc. | General scripting bypasses |\n| `common` | Most exploited extensions | Quick common tests |\n| `all` | Every known extension | Comprehensive testing |\n\n## 💡 Example Output\n\n```bash\n$ python3 upfuzz.py --preset php --show-content-types\n\nGenerating extensions with:\n  Malicious: ['.php', '.php3', '.php4', '.php5', '.phtml', '.phar']\n  Benign: ['.jpg', '.jpeg', '.png', '.gif', '.bmp']\n  Case variations: True\n  Content-Type recommendations: True\n\n.php\n.php.gif\n.php.jpg\n.php.jpeg\n.php.png\n.php%00.jpg\n.php%20.gif\n.phtml.png\n.gif.php\n.jpg.php\n...\n\nContent-Type Recommendations:\n  image/jpeg: .php.jpg, .php.jpeg, .jpg.php\n  image/png: .php.png, .png.php  \n  application/x-httpd-php: .php, .php3, .php4, .phtml\n  text/plain: .php, .phtml, .inc\n```\n\n## 🎯 Real-World Usage\n\n### HTB/CTF Scenarios\n```bash\n# Generate PHP bypasses for image upload forms\npython3 upfuzz.py --preset php --output php_bypass.txt\n\n# Load php_bypass.txt into Burp Intruder\n# Set payload position at file extension\n# Test all combinations against upload endpoint\n```\n\n### Bug Bounty Hunting\n```bash\n# Comprehensive web app testing\npython3 upfuzz.py --preset web --output web_extensions.txt\n\n# XXE testing on document uploads\npython3 upfuzz.py --preset xxe --output xxe_payloads.txt\n\n# XSS via SVG uploads\npython3 upfuzz.py --preset xss --output xss_extensions.txt\n```\n\n### Penetration Testing\n```bash\n# Generate JSON report with metadata\npython3 upfuzz.py --preset all --output full_report.json\n\n# Custom extensions for specific technology stack\npython3 upfuzz.py --malicious .cfm,.jsp,.php --benign .pdf,.doc,.jpg\n```\n\n## 🛠️ Advanced Options\n\n```bash\n# Disable case variations for faster generation\npython3 upfuzz.py --preset php --no-case-variations\n\n# Hide content-type recommendations\npython3 upfuzz.py --preset web --no-content-types\n\n# Custom delimiters for specific bypass techniques\npython3 upfuzz.py --preset php --delimiters \",%00,%20,.,;\"\n\n# List all available presets\npython3 upfuzz.py --list-presets\n```\n\n## 📊 Extension Patterns Generated\n\nUpFuzz creates multiple bypass patterns for each malicious extension:\n\n### Basic Patterns\n- `.php` → Direct extension\n- `.PHP`, `.PhP`, `.pHp` → Case variations\n\n### Double Extensions  \n- `.php.jpg` → Malicious first\n- `.jpg.php` → Benign first\n- `.php.png.gif` → Triple extensions\n\n### Delimiter Bypasses\n- `.php%00.jpg` → Null byte injection\n- `.php%20.jpg` → Space character\n- `.php..jpg` → Double dots\n- `.php/.jpg` → Path separators\n\n### Special Techniques\n- `.php ` → Trailing spaces\n- `../shell.php` → Directory traversal\n- `.php%252e.jpg` → Double URL encoding\n- `.php::$DATA.jpg` → NTFS ADS\n\n## 🎯 Content-Type Strategy\n\nUpFuzz recommends Content-Types based on your extension strategy:\n\n| Extension Pattern | Recommended Content-Types |\n|------------------|---------------------------|\n| `.php.jpg` | `image/jpeg`, `application/x-httpd-php` |\n| `.svg` | `image/svg+xml`, `text/xml` |\n| `.xml` | `application/xml`, `text/xml` |\n| `.asp.png` | `image/png`, `application/x-asp` |\n\n## 🔧 Integration\n\n### Burp Suite Integration\n1. Generate extension list: `python3 upfuzz.py --preset web -o extensions.txt`\n2. In Burp, send upload request to Intruder\n3. Set payload position at file extension\n4. Load `extensions.txt` as payload list\n5. Start attack and analyze responses\n\n### ffuf Integration\n```bash\n# Generate extensions\npython3 upfuzz.py --preset php -o php_ext.txt\n\n# Use with ffuf\nffuf -u \"http://target.com/upload\" -X POST \\\n     -F \"file=@shell.FUZZ\" \\\n     -w php_ext.txt\n```\n\n## 🎲 Example Attack Scenarios\n\n### Scenario 1: Image Upload Bypass\n```bash\n# Target: Web form accepting only .jpg, .png\npython3 upfuzz.py --malicious .php --benign .jpg,.png --output image_bypass.txt\n\n# Generated bypasses include:\n# .php.jpg, .jpg.php, .php%00.jpg, .PHP.jpg, etc.\n```\n\n### Scenario 2: XXE via SVG Upload\n```bash\n# Target: Profile picture upload accepting SVG\npython3 upfuzz.py --preset xxe --output xxe_test.txt\n\n# Use Content-Type: image/svg+xml\n# Upload SVG with XXE payload\n```\n\n### Scenario 3: ASP.NET Application\n```bash\n# Target: Document upload on ASP.NET app\npython3 upfuzz.py --preset asp --output asp_bypass.txt\n\n# Test .aspx, .ashx, .config extensions\n# Use recommended Content-Types\n```\n\n## 🚨 Responsible Disclosure\n\nUpFuzz is designed for authorized penetration testing and security research. Always ensure you have explicit permission before testing upload functionality on systems you don't own.\n\n## 📝 Installation\n\n```bash\n# Clone the repository\ngit clone https://github.com/0xricksanchez/upfuzz.git\ncd upfuzz\n\n# Run\npython3 upfuzz.py --help\n```\n\n## 🤝 Contributing\n\nContributions welcome! Areas for improvement:\n- Additional file extension patterns\n- New bypass techniques\n- Framework-specific presets\n- Integration with other tools\n\n## 📄 License\n\nApache-2 License - see [LICENSE](LICENSE) file for details\n\n---\n\n**Happy Fuzzing! 🎯**\n\n*Found a new bypass technique? Open an issue or submit a PR!*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xricksanchez%2Fupfuzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xricksanchez%2Fupfuzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xricksanchez%2Fupfuzz/lists"}