8.2 Lab: Web shell upload via Content-Type restriction bypass | 2023
This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify, To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret | Karthikeyan Nagaraj
Description
This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret
. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
Pre-Requisite
Solution
- Log in to the page using the credentials
wiener:peter
- There is an Image upload functionality, where we can upload files
- If you try to upload an image, then right-click and open the image in a new tab, you can see the URL of the image which is below
https://LAB-ID.web-security-academy.net/files/avatars/image1.png
4. So, In any file upload Functionality, if the uploaded file is not validated, there is a higher chance of exploiting the Vulnerability
5. Here the file type is being validated so we cannot upload files other than images
6. Save the below code in a file with ANYNAME.php
Ex: exploit.php
<?php echo file_get_contents('/home/carlos/secret'); ?>
7. So, Browse and select the payload, click on the proxy, click upload and then capture the request
8. Now in the body of the request, change the content type to image/jpeg
9. Then send the request, now you can able to see that the file has been uploaded
10. Now right-click on the image field, right click and select open image in the new tab
11. You will now able to see the secret key
12. Submit the secret key in submit solution to solve the lab
2. Portswigger’s Solution
- Log in and upload an image as your avatar, then go back to your account page.
- In Burp, go to Proxy > HTTP history and notice that your image was fetched using a
GET
request to/files/avatars/<YOUR-IMAGE>
. Send this request to Burp Repeater. - On your system, create a file called
exploit.php
, containing a script for fetching the contents of Carlos's secret. For example:<?php echo file_get_contents('/home/carlos/secret'); ?>
- Attempt to upload this script as your avatar. The response indicates that you are only allowed to upload files with the MIME type
image/jpeg
orimage/png
. - In Burp, go back to the proxy history and find the
POST /my-account/avatar
request that was used to submit the file upload. Send this to Burp Repeater. - In Burp Repeater, go to the tab containing the
POST /my-account/avatar
request. In the part of the message body related to your file, change the specifiedContent-Type
toimage/jpeg
. - Send the request. Observe that the response indicates that your file was successfully uploaded.
- Switch to the other Repeater tab containing the
GET /files/avatars/<YOUR-IMAGE>
request. In the path, replace the name of your image file withexploit.php
and send the request. Observe that Carlos's secret was returned in the response. - Submit the secret to solve the lab.
If you would like to support me so that I could create more free content — https://www.buymeacoffee.com/cyberw1ng
Thank you for Reading!
Happy Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng
Telegram Channel for Ethical Hacking Dumps — https://t.me/ethicalhackingessentials