Chain The Bugs to Pwn an Organisation ( LFI + Unrestricted File Upload = Remote Code Execution )

Armaan Pathan
Sep 18, 2018 · 2 min read

Hi everyone,
After completing my OSCP certification I thought to give a try to bug bounty, as OSCP has sharpened my exploitationSkills.

I will use lol.com to represent an application as can not disclose the website’s name.

While i was enumerating an application i got a domain which was basically an image server and was managing the images which has uploaded by a user, while enumerating more, i got an endpoint which was allowing me to call the server local files such as passwd , cron jobs and current running services on the server.

Image for post
Image for post

As it was a image server means the server stores all the images which user uploads form his/her profiles.

I again went back to lol.com and started looking for photo upload functionality that from where i can upload the photo and i got the profile photo option which is allowing me to upload the photos to an application and the photos were storing to the image server.

Now photo upload functionality has ext parameter which is used for file extensions checks but due to improper validations on the parameter, i was able to tamper the values and can upload unrestricted files on the server, i tried to upload php shell but as it was image server so it was not serving the php but by reconig more via lfi i came to know that i can get a shell via perl so i uploaded a perl reverse shell to get a reverse shell on my public IP.

Image for post
Image for post

And with the use of LFI I called the file and i got the reverse shell on my public IP.

Image for post
Image for post
Image for post
Image for post

Thanks for reading, Hope you guys liked it.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store