Fuxploider
Fuxploider Fuxploider is the automated scanner for file upload vulns, detecting allowed MIME types and testing bypasses like double extensions or polyglots to land webshells on servers. Run its Python script on upload endpoints with --not-regex for error filtering, outputting confirmed vectors for exploitation. Open-source from almandin, it's the upload unraveler for pentesters templating bypass chains.
Explore →Upload-Scanner
Upload Scanner Upload-Scanner is the Burp extension that fuzzes file uploads with payloads for type confusion or path traversal, analyzing responses for successful placements or errors. Install via BApp Store, select upload requests, and run scans for flagged bypasses with evidence. Open-source from PortSwigger, it's the proxy param prober for web auditors validating upload guards inline.
Explore →FUSE
FUSE FUSE is the UE FU vuln finder that fuzzes upload configs for unrestricted executables, monitoring file execution post-upload for RCE confirmation in PHP apps. Configure via ini files, run its Python framework on targets for automated tests with logs. Open-source from WSP-LAB, it's the executable explorer for pentesters hunting dangerous file handling.
Explore →Upload-Bypass
Upload Bypass Upload-Bypass is the evasion toolkit for testing upload restrictions, crafting polyglot files and MIME spoofs to slip past validators for shell uploads. Run its Python CLI with -E for extensions and -S for status checks, verifying placements. Open-source from sAjibuu, it's the bypass blacksmith for auditors forging paths through file filters.
Explore →magic-file-upload
Magic File Upload magic-file-upload is the scanner for magic byte bypasses, forging headers in uploads to trick validators into accepting malicious types like PHP in images. Script its Go tool for batch tests on endpoints, logging successful executions. Open-source from community, it's the header hacker for pentesters exploiting type confusion.
Explore →file-upload-vuln-scanner
File Upload Vuln Scanner file-upload-vuln-scanner is the Nuclei template pack for probing upload endpoints with payloads for traversal or type bypass, matching responses for RCE indicators. Clone templates, run via CLI on scopes for severity alerts. Open-source from projectdiscovery, it's the template tester for scalable upload vuln hunts.
Explore →webshell-uploader
Webshell Uploader webshell-uploader is the exploit chain for testing upload RCE, generating and sending malicious files with evasion to verify execution in web servers. Configure via Python with proxies, monitoring callbacks for confirmation. Open-source from community, it's the shell smuggler for pentesters validating upload-to-command chains.
Explore →bypass-upload-restrictions
Bypass Upload Restrictions bypass-upload-restrictions is the script collection for MIME and extension tricks, testing null bytes or case variations to evade filters in file handlers. Run individual tests via bash, chaining for full audits. Open-source from 3af, it's the restriction rebel for auditors dismantling upload defenses piece by piece.
Explore →upload-fuzzer
Upload Fuzzer upload-fuzzer is the mutation fuzzer for file params, blasting headers and names with wordlists to detect traversal or type confusion in upload logic. Configure corpora in Go, run on endpoints for crash repros. Open-source from frikilnik, it's the file flinger for researchers stressing upload parsers.
Explore →php-upload-vuln-tester