Post

Remote code execution via web shell upload

This lab contains a vulnerable image upload function. It doesn't perform any validation on the files users upload before storing them on the server's filesystem.

Posted
Files Upload
Files Upload
By T3chnocr4tX
1 min read
Remote code execution via web shell upload

Files Upload Vulnerabilities

Lab:# Remote code execution via web shell upload

Guys 👋, let’s go through this really quick. This lab contains a vulnerable image upload function. It doesn’t perform any validation on the files users upload before storing them on the server’s filesystem.

Our task is to solve the lab by uploading a basic PHP web shell and using it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. Let’s get started.

End Goals:

  • Upload the basic php web shell
  • And get the content of the file /home/carlos/secret.

What is File Upload Vulnerabilities 🤔

File upload vulnerabilities is when a web sever allow the user to upload files to it filesytem without sufficiently valiating things like their name, type, content and size.

Enummeration/ Testing for Vulnerabilities

  • First, to test a web app for vulnerabilities, we have to check each functionality of the web app. So, let’s log in to our account and check how the web app works.

1png

  • So, it has a functionality for uploading an avatar image. Let’s try uploading our basic PHP web shell and check if the web application validates it.
  • NOte: The Url path of the upload functionality.

2

  • On your machine, create a file called anyname.php—in my case, I used rick.php—containing a script for fetching the contents of Carlos’s secret file. Add this script to the file:
    1

    <?php echo file_get_contents('/home/carlos/secret'); ?>
  • Let’s try uploading the malicious PHP file to the upload image function. If the web app doesn’t validate it, and the script is successful, bingo! 😂

4

  • GO back to my account..
  • Let’s send the request to the Repeater tab and modify it. In Burp Repeater, change the path of the request to point to your PHP file:
    1

    GET /files/avatars/rick.php
  • And get Carlos’s key. Submit it to complete the lab.

5

giphyr,

That’s all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!

Go Back Home

Web Security Academy Labs
Files Upload
This post is licensed under CC BY 4.0 by the author.