Back to File Upload

File Upload 00: Weak Extension Blacklist

Goal: get a dangerous-looking filename accepted by bypassing a naive extension check.

Hints
  • The filter blocks only one exact suffix.
  • It does not normalize the full filename before making a decision.
  • Try filenames that still contain .php but do not end exactly with it.
Why this works

Blacklists are easy to bypass when validation only checks a narrow pattern instead of enforcing a safe allowlist.