how different browsers handle these filenames: [👌.html] [lorem"ipsum.html ] [lorem\"ipsum.html ] [∭.triple.integral] [_a_∭_.txt] (_a_👌_.txt) [_"_%_%2_%22_%2f_%25_.txt] (_"_%_%2_"_%_.txt) [_\"_%_%2_%22_%2f_%25_.txt] (_\"_%_%2_"_%_.txt) [abc !"#$%&'()*+,-.x0123456789:;<=>?@ABC[\]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt] [aabbcc !!""##$$%%&&''(())**++,,--..xx00112233445566778899::;;<<==>>??@@AABBCC[[\\]]^^__``{{||}}~~  ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt] lines starting with "saved file:" is how php7.2.18 decodes it curl: escapes " into \" escapes \" into \\\" actually doesn't suck chrome/safari: escapes " into %22 does not escape \ does not escape %xx so %22 is unmodified (decodes as ") does not escape &#xx; so a is unmodified (decodes as a) firefox: escapes " into \" however \" becomes \\" so php and most other parsers fail also does not escape &#xx; or %xx just like chrome/safari ie7: wins by default since windows filenames can't contain " conclusion: always set pretend the mythical filename* does not exist (it doesn't) if /AppleWebKit/: simple replace from %22 to " else: if filename contains \\\" or (\\ and not \\"): proper unescape \\ and \" else: simple replace \" to " firefox 66.0.5 linux, no encoding on the html with the
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 Content-Type: multipart/form-data; boundary=---------------------------2128611736173971212222926164 Content-Disposition: form-data; name="f"; filename="👌.html" Content-Disposition: form-data; name="f"; filename="lorem\"ipsum.html " Content-Disposition: form-data; name="f"; filename="lorem\\"ipsum.html " saved file: _"_%_%2_%22_%2f_%25_.txt saved file: _a_∭_.txt saved file: ]]^^__``{{||}}~~ ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt saved file: ]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt saved file: lorem"ipsum.html bad filename or other error saved file: ∭.triple.integral saved file: 👌.html chrome 72.0.3626.121 linux, no encoding on the html with the User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5SmRJkwFKdZJDvyi Content-Disposition: form-data; name="f"; filename="👌.html" Content-Disposition: form-data; name="f"; filename="lorem%22ipsum.html " Content-Disposition: form-data; name="f"; filename="lorem\%22ipsum.html " chrome 72.0.3626.121 linux, Content-Disposition: form-data; name="f"; filename="👌.html" Content-Disposition: form-data; name="f"; filename="lorem%22ipsum.html " Content-Disposition: form-data; name="f"; filename="lorem\%22ipsum.html " Content-Disposition: form-data; name="f"; filename="_%22_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="_\%22_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="_a_∭_.txt" Content-Disposition: form-data; name="f"; filename="abc !%22#$%&'()*+,-.x0123456789:;<=>?@ABC[\]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt" Content-Disposition: form-data; name="f"; filename="aabbcc !!%22%22##$$%%&&''(())**++,,--..xx00112233445566778899::;;<<==>>??@@AABBCC[[\\]]^^__``{{||}}~~  ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt" saved file: _a_∭_.txt saved file: _%22_%_%2_%22_%2f_%25_.txt saved file: ]]^^__``{{||}}~~ ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt saved file: ]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt saved file: ∭.triple.integral saved file: %22ipsum.html saved file: lorem%22ipsum.html saved file: 👌.html IE7 xp, no encoding on page User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727) Content-Type: multipart/form-data; boundary=---------------------------7e325111400c0 Content-Disposition: form-data; name="f"; filename="C:\Documents and Settings\Administrator\My Documents\Downloads\👌.html" Content-Disposition: form-data; name="f"; filename="C:\Documents and Settings\Administrator\Desktop\∭.triple.integral" Content-Disposition: form-data; name="f"; filename="C:\Documents and Settings\Administrator\My Documents\Downloads\_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="C:\Documents and Settings\Administrator\My Documents\Downloads\_a_∭_.txt" IE7 xp, Content-Disposition: form-data; name="f"; filename="C:\Documents and Settings\Administrator\My Documents\Downloads\👌.html" firefox 52.9 xp, no encoding on page User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:52.0) Gecko/20100101 Firefox/52.0 Content-Type: multipart/form-data; boundary=---------------------------283191563824012 Content-Disposition: form-data; name="f"; filename="👌.html" Content-Disposition: form-data; name="f"; filename="∭.triple.integral" Content-Disposition: form-data; name="f"; filename="_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="_a_∭_.txt" firefox 52.9 xp, Content-Disposition: form-data; name="f"; filename="👌.html" curl 7.64.0 linux curl -F "f=@\"lorem\\\"ipsum.html \"" http://127.0.0.1:2345/ curl -F 'f=@_"_%_%2_%22_%2f_%25_.txt' http://127.0.0.1:2345/ curl -F 'f=@_\"_%_%2_%22_%2f_%25_.txt' http://127.0.0.1:2345/ User-Agent: curl/7.64.0 Content-Type: multipart/form-data; boundary=------------------------052f235dc0b9bae6 Content-Disposition: form-data; name="f"; filename="👌.html" Content-Disposition: form-data; name="f"; filename="_\"_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="_\\\"_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="lorem\"ipsum.html " # curl cli can't do single " when there's a whitespace too so that was [lorem"ipsum.html ] firefox 67 osx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:67.0) Gecko/20100101 Firefox/67.0 Content-Type: multipart/form-data; boundary=---------------------------80573919926839611121776207 Content-Disposition: form-data; name="f"; filename="👌.html" Content-Disposition: form-data; name="f"; filename="lorem\"ipsum.html " Content-Disposition: form-data; name="f"; filename="lorem\\"ipsum.html " Content-Disposition: form-data; name="f"; filename="∭.triple.integral" Content-Disposition: form-data; name="f"; filename="_a_∭_.txt" Content-Disposition: form-data; name="f"; filename="_\"_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="abc !\"#$%&'()*+,-.x0123456789:;<=>?@ABC[\]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt" Content-Disposition: form-data; name="f"; filename="aabbcc !!\"\"##$$%%&&''(())**++,,--..xx00112233445566778899::;;<<==>>??@@AABBCC[[\\]]^^__``{{||}}~~  ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt" saved file: _a_∭_.txt saved file: _%22_%_%2_%22_%2f_%25_.txt saved file: ]]^^__``{{||}}~~ ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt saved file: ]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt saved file: ∭.triple.integral saved file: %22ipsum.html saved file: lorem%22ipsum.html saved file: 👌.html # lorem\"ipsum.html becomes %22ipsum.html (the trailing space survives tho) safari 2019-06-02 osx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBKvsttxCpqAA9G1Q Content-Disposition: form-data; name="f"; filename="?.html" Content-Disposition: form-data; name="f"; filename="lorem%22ipsum.html " Content-Disposition: form-data; name="f"; filename="lorem\%22ipsum.html " Content-Disposition: form-data; name="f"; filename="?.triple.integral" safari 2019-06-02 osx (with charset=utf-8 in html or headers) User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryPBtwBgBwTF1SPLmC Content-Disposition: form-data; name="f"; filename="👌.html" Content-Disposition: form-data; name="f"; filename="lorem%22ipsum.html " Content-Disposition: form-data; name="f"; filename="lorem\%22ipsum.html " Content-Disposition: form-data; name="f"; filename="∭.triple.integral" Content-Disposition: form-data; name="f"; filename="_a_∭_.txt" Content-Disposition: form-data; name="f"; filename="_%22_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="abc !%22#$%&'()*+,-.x0123456789:;<=>?@ABC[\]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt" Content-Disposition: form-data; name="f"; filename="aabbcc !!%22%22##$$%%&&''(())**++,,--..xx00112233445566778899::;;<<==>>??@@AABBCC[[\\]]^^__``{{||}}~~  ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt" saved file: _a_∭_.txt saved file: _%22_%_%2_%22_%2f_%25_.txt saved file: ]]^^__``{{||}}~~ ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt saved file: ]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt saved file: ∭.triple.integral saved file: %22ipsum.html saved file: lorem%22ipsum.html saved file: 👌.html chrome 74.0.3729.169 osx User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryj4Pp93BSWa9JBcsE Content-Disposition: form-data; name="f"; filename="👌.html" Content-Disposition: form-data; name="f"; filename="lorem%22ipsum.html " Content-Disposition: form-data; name="f"; filename="lorem\%22ipsum.html " Content-Disposition: form-data; name="f"; filename="∭.triple.integral" Content-Disposition: form-data; name="f"; filename="_a_∭_.txt" Content-Disposition: form-data; name="f"; filename="_%22_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="abc !%22#$%&'()*+,-.x0123456789:;<=>?@ABC[\]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt" Content-Disposition: form-data; name="f"; filename="aabbcc !!%22%22##$$%%&&''(())**++,,--..xx00112233445566778899::;;<<==>>??@@AABBCC[[\\]]^^__``{{||}}~~  ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt" saved file: _a_∭_.txt saved file: _%22_%_%2_%22_%2f_%25_.txt saved file: ]]^^__``{{||}}~~ ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt saved file: ]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt saved file: ∭.triple.integral saved file: %22ipsum.html saved file: lorem%22ipsum.html saved file: 👌.html firefox ios User-Agent: Mozilla/5.0 (iPod touch; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/17.3b15323 Mobile/15E148 Safari/605.1.15 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc5YQtKBEkwJ4br42 Content-Disposition: form-data; name="f"; filename="👌.html" Content-Disposition: form-data; name="f"; filename="∭.triple.integral" Content-Disposition: form-data; name="f"; filename="lorem%22ipsum.html .txt" Content-Disposition: form-data; name="f"; filename="lorem\%22ipsum.html .txt" saved file: _%22_%_%2_%22_%2f_%25_.txt saved file: _a_∭_.txt saved file: lorem%22ipsum.html .txt saved file: %22ipsum.html .txt saved file: 👌.html saved file: ]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt safari ios User-Agent: Mozilla/5.0 (iPod touch; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Mobile/15E148 Safari/604.1 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrGBKxBdYeZT3kkOd Content-Disposition: form-data; name="f"; filename="👌.html" Content-Disposition: form-data; name="f"; filename="lorem%22ipsum.html .txt" Content-Disposition: form-data; name="f"; filename="lorem\%22ipsum.html .txt" saved file: _%22_%_%2_%22_%2f_%25_.txt saved file: _a_∭_.txt saved file: 👌.html saved file: lorem%22ipsum.html .txt saved file: %22ipsum.html .txt saved file: ]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt chrome android: saved file: _%22_%_%2_%22_%2f_%25_.txt saved file: ∭.triple.integral saved file: lorem%22ipsum.html saved file: ]]^^__``{{||}}~~ ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt saved file: ]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt saved file: %22ipsum.html saved file: _a_∭_.txt saved file: 👌.html firefox android: saved file: _"_%_%2_%22_%2f_%25_.txt saved file: _a_∭_.txt saved file: ∭.triple.integral saved file: 👌.html saved file: ]]^^__``{{||}}~~ ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt saved file: ]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt saved file: lorem"ipsum.html bad filename or other error w3m 0.5.3 User-Agent: w3m/0.5.3+git20180125 Content-Type: multipart/form-data; boundary=------------------------------75771398083265246401398083264094080 Content-Disposition: form-data; name="f"; filename="_a_∭_.txt" Content-Disposition: form-data; name="f"; filename="_"_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="_\"_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="abc !"#$%&'()*+,-.x0123456789:;<=>?@ABC[\]^_`{|}~ ´µ¶·¸¹º»¿⌐¬½¼¡«»░▒▓│─█.txt" Content-Disposition: form-data; name="f"; filename="aabbcc !!""##$$%%&&''(())**++,,--..xx00112233445566778899::;;<<==>>??@@AABBCC[[\\]]^^__``{{||}}~~  ´´µµ¶¶··¸¸¹¹ºº»»¿¿⌐⌐¬¬½½¼¼¡¡««»»░░▒▒▓▓││──██..ttxxtt" Content-Disposition: form-data; name="f"; filename="lorem"ipsum.html " Content-Disposition: form-data; name="f"; filename="lorem\"ipsum.html " Content-Disposition: form-data; name="f"; filename="∭.triple.integral" Content-Disposition: form-data; name="f"; filename="👌.html" elinks 0.13 User-Agent: ELinks/0.13.GIT (textmode; Linux 4.19.41-0-vanilla x86_64; 146x33-2) Content-Type: multipart/form-data; boundary=4n5BrUX5050f4cK0I8cOyyMehwiaop8D Content-Disposition: form-data; name="f"; filename="lorem"ipsum.html " Content-Disposition: form-data; name="f"; filename="👌.html" links 2.15 User-Agent: Links (2.15; Linux 4.19.41-0-vanilla x86_64; GNU C 8.2; text) Content-Type: multipart/form-data; boundary=---------------------------00000000000000000000000000000 Content-Disposition: form-data; name="f"; filename="lorem"ipsum.html " # can't unicode lynx 2.8.8_p2 User-Agent: Lynx/2.8.8rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/1.1.1b Content-type: multipart/form-data; boundary=LYNX Content-Disposition: form-data; name="f"; filename="./payloads/lorem\"ipsum.html " Content-Disposition: form-data; name="f"; filename="./payloads/lorem\\\"ipsum.html " Content-Disposition: form-data; name="f"; filename="./payloads/_a_∭_.txt" Content-Disposition: form-data; name="f"; filename="./payloads/_\"_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="./payloads/abc !\"#$%&'()*+,-.x0123456789:;<=>?@ABC[\\]^_`{|}~ ´µ¶·¸¹º»¿�\�\�¬½¼¡«»�\�\��\�\��\�\��\�\��\�\��\�\�.txt" Content-Disposition: form-data; name="f"; filename="./payloads/�\�\�\�.html" (that was 👌.html) opera 36 xp User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36 OPR/36.0.2130.80 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKVXR8CgZ2IzmOqGW Content-Disposition: form-data; name="f"; filename="∭.triple.integral" opera 11.01 xp User-Agent: Opera/9.80 (Windows NT 5.1; U; en) Presto/2.7.62 Version/11.01 Content-Type: multipart/form-data; boundary=----------bVWAx7M95jeF3S6MX21SdK Content-Disposition: form-data; name="f"; filename="∭.triple.integral" netscape 3.0 xp User-Agent: Mozilla/3.0 (WinNT; I) Content-type: multipart/form-data; boundary=---------------------------337238125597 Content-Disposition: form-data; name="f"; filename="C:\DOCUME~1\ADMINI~1\Desktop\up.html" Content-Disposition: form-data; name="f"; filename="C:\DOCUME~1\ADMINI~1\Desktop\?.triple.integral" opera 11.01 centos7 User-Agent: Opera/9.80 (X11; Linux x86_64; U; en) Presto/2.7.62 Version/11.01 Content-Type: multipart/form-data; boundary=----------ybnHVeRVJHI1gosrCyUezH Content-Disposition: form-data; name="f"; filename="%F0%9F%91%8C.html" Content-Disposition: form-data; name="f"; filename="∭.triple.integral" Content-Disposition: form-data; name="f"; filename="_%_%2_%22_%2f_%25_.txt" (the pre-escaped _\" was truncated) Content-Disposition: form-data; name="f"; filename="_a.txt" # both lorem"ipsum.html and lorem\"ipsum.html fail, probably due to the trailing whitespace # breaks on files with quotes in the name unless they are pre-escaped with \ lol # NOTE: enters multipart/mixed with multiple files (nested multipart with different boundaries) # multiple form fields are fine however # keeps form field order opera 11.10 centos7 User-Agent: Opera/9.80 (X11; Linux x86_64; U; en) Presto/2.8.131 Version/11.10 # now it does multiple files correctly but fails to upload the contents of files with emojis in the name?? just leaves the body blank laff # keeps form field order opera 12.00 centos7 User-Agent: Opera/9.80 (X11; Linux x86_64; U; en) Presto/2.10.289 Version/12.00 Content-Type: multipart/form-data; boundary=----------Kjv0zd9NpPWFRkicPTZf8C Content-Disposition: form-data; name="f"; filename="👌.html" Content-Disposition: form-data; name="f"; filename="∭.triple.integral" Content-Disposition: form-data; name="f"; filename="_%_%2_%22_%2f_%25_.txt" Content-Disposition: form-data; name="f"; filename="_a.txt" # now it can upload file contents but it still breaks on some ascii special-chars # keeps form field order firefox 1 xp User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Content-Type: multipart/form-data; boundary=---------------------------41184676334 Content-Disposition: form-data; name="f"; filename="__.html" # keeps form field order firefox 2 xp User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4 Content-Type: multipart/form-data; boundary=---------------------------261993242624524 Content-Disposition: form-data; name="f"; filename="👌.html" # firefox 4.0.1 introduces multiple files and it works # start upload server, use either of these depending ncat -l -p 2345 nc -l 2345 # minimal html document for correct behavior in safari