What starting position does this attack require?

The first step is Execute shell commands via webshell (W-CMDI) — a execution primitive. Assumed environment: app accepts user uploads (avatars, attachments, document import).

What is the final impact of this kill-chain?

The final step lands on Drop webshell (W-WEBSHELL), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

File upload bypass → webshell → RCE

Upload filter checks extension or MIME but not magic bytes / final path. Bypass via double extension, content-type spoof, or polyglot, then call the dropped script.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Execution

Execute shell commands via webshell

W-CMDI · OS Command Injection

Initial Access

Bypass with double-ext / polyglot / null-byte

W-UPLOAD-BYPASS · File Upload Filter Bypass

shell.php.jpg / shell.phtml / .htaccess + .jpg combo.

Initial Access

Probe filter (ext / MIME / magic / path)

W-UPLOAD-BYPASS · File Upload Filter Bypass

Reconnaissance

Find upload endpoint

W-RECON-API-DISCO · API Endpoint Discovery

Persistence

Plant secondary backdoor

W-WEBSHELL · Webshell Deployment

Persistence

Drop webshell

W-WEBSHELL · Webshell Deployment

§ Context

Assumed environment: app accepts user uploads (avatars, attachments, document import). Uploaded files are stored in a web-served directory.

§ Steps

01
Execute shell commands via webshellExecution
W-CMDI— OS Command Injection
02
Bypass with double-ext / polyglot / null-byteInitial Access
W-UPLOAD-BYPASS— File Upload Filter Bypass
shell.php.jpg / shell.phtml / .htaccess + .jpg combo.
03
Probe filter (ext / MIME / magic / path)Initial Access
W-UPLOAD-BYPASS— File Upload Filter Bypass
04
Find upload endpointReconnaissance
W-RECON-API-DISCO— API Endpoint Discovery
05
Plant secondary backdoorPersistence
W-WEBSHELL— Webshell Deployment
06
Drop webshellPersistence
W-WEBSHELL— Webshell Deployment

§ Frequently asked

What is the "File upload bypass → webshell → RCE" attack path?: Upload filter checks extension or MIME but not magic bytes / final path. Bypass via double extension, content-type spoof, or polyglot, then call the dropped script. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Execute shell commands via webshell (W-CMDI) — a execution primitive. Assumed environment: app accepts user uploads (avatars, attachments, document import).
What is the final impact of this kill-chain?: The final step lands on Drop webshell (W-WEBSHELL), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

Shared techniques2
LFI → log poisoning → RCE
Local file inclusion that reads the web server's access log. Send a request whose User-Agent contains PHP, then LFI the log file to execute it.

§ Context

§ Steps

§ Frequently asked

§ Related dossiers

LFI → log poisoning → RCE