Advanced File Upload Payload Generator
UpFuzz generates sophisticated file upload payloads designed to bypass WAFs and strict filtering mechanisms. Unlike simple extension lists, UpFuzz creates full filenames with advanced evasion techniques like Unicode RTLO spoofing, NTFS Alternate Data Streams, and double-extension injection.
Designed to be piped directly into Burp Suite Intruder or FFUF.
git clone https://github.com/yourusername/upfuzz.git
cd upfuzz
python upfuzz.py- Standard Scan (PHP)
Generate variations like .php, .phtml, .php.jpg, .php%00.png.
python3 upfuzz.py --preset php --filename myprofile > payloads.txt- ISS/Windows Evasion
Target ASP/ASPX with Windows-specific bypasses (::$DATA, trailing dots).
python3 upfuzz.py --preset asp --filename document- Visual Spoofing (RTLO)
Create payloads that look like images to human administrators (e.g., holidaysgpj.php).
python3 upfuzz.py --preset php --filename holidays --rtlo- Generate payloads:
python3 upfuzz.py --preset web --filename test -o wordlist.txt - Load into Burp:
- Send reqeuest to Intruder.
- Highlight the entire filename in the request:
filename="§image.jpg§". - Payloads tab: Load
wordlist.txtas payload set.
- Bypass Magic Bytes (Optional):
- Run
python3 upfuzz.py --show-magicto get the hex signatures. - In Burp: Payload Processing -> Add Prefix -> Paste the hex (e.g., \xFF\xD8\xFF\xE0).
| Preset | Included Extensions |
|---|---|
| php | .php, .phtml, .phar, .inc, etc. |
| asp | .asp, .aspx, .cer, .config |
| jsp | .jsp, .jspx, .do, .action |
| xml | .xml, .svg, .json, .xslt (XXE) |
| web | Combination of PHP, ASP, and JSP |