Natas 13 — Crafted File Upload
This part V of the OWASP ZAP. We’re going through the OverTheWire’s natas wargame using ZAP as the main tool but with the help of some others.
In the last article we got to natas 12. It’s now tome to tackle natas 13
Natas 13 looks a lot like natas 12. Except, if we try to upload our file ‘shell.php’, it rejects it, on the basis that isn't an image file. Even changing the extension won’t cut it.
Looking at the sourcecode we can see that there is an image validation: exif_imagetype(). The PHP manual says that this function reads the first bytes… So, what if we added the jpg bytes (FF D8 DD DB)?
Edit ‘shell.php’ with hexeditor:
$ hexeditor -b shell.jpg
Add four bytes (Ctrl — a) and change their values accordingly:
Save (Ctr-X). Now go to the browser, select the file. In ZAP add the break and capture the request, altering the extension for the file (just like we did for natas 12).
