PortSwigger Web Security Academy: File Upload Vulnerabilities
A detailed write-up on how to solve file upload labs on PortSwigger.
Lab 1: Remote code execution via web shell upload
Log in with username “wiener” and password “peter”.
You will see the file upload functionality.
Create a basic PHP web shell.
Upload the file on the website.
Right-click on the avatar, and open the image on the new tab.
Enter this string in submit the solution window.
You have completed Lab 1.
Lab 2: Web shell upload via Content-Type restriction bypass
Follow the same steps as Lab 1, but you will observe an error in uploading the PHP file.
Upload the file again but this time intercept the action in the burp suite.
In line 22, you will see that the content type is “application/x-PHP”. The website allows only image files of .png or .jpg extensions. Hence change the content type to “image/png” or “image/jpg”.
Forward the request, turn off the proxy and right-click on the image uploaded to see the secret information.
You have completed Lab 2.
Lab 3: Web shell upload via path traversal
Follow the same steps as Lab 1, but you will observe that the uploaded web shell will not reveal any secret data.
Upload the file again and intercept the action in the burp suite.
In line 21, you can observe the filename as “temp.php”. Here we take advantage of a vulnerability to bypass the defences. Replace “temp.php” with “..%2ftemp.php”.
We can see the secret information.
You have completed Lab 3.
Lab 4: Web shell upload via extension blacklist bypass
Follow the same steps as Lab 1, but you will observe an error in uploading the PHP file.
Rename the file to “temp.bcs” and upload again.
However, the image still does not contain any secret information.
Create a file by the name “.htaccess” with the following data.
Upload this “.htaccess” file.
Now open the temp.bcs file. You can do this by going to subdomain /files/avatars/temp.bcs
You have completed Lab 4.
Lab 5: Web shell upload via obfuscated file extension
Follow the same steps as Lab 1, but you will observe an error in uploading the PHP file.
We receive an error that only image files are allowed to be uploaded. Upload the temp.php file again and intercept the request in the burp suite.
To bypass the website’s defences, we can convince that the file we uploaded is an image file. Thus, rename “temp.php” to “temp.php%00.png” or “temp.php%00.jpg”.
Forward the request and we can see that the web shell is uploaded.
we can view the solution string in /files/avatars/temp.php
You have completed Lab 5.
Lab 6: Remote code execution via polyglot web shell upload
This lab requires the installation of ExifTool software.
Create a image file with extension .jpg or .png. Here, I have created an image file “test.png” using paint.
Upload the lab.php file in the avatar section of the website.
Copy the string between START and END. This is the solution string.
You have completed Lab 6.
References:
