PortSwigger — LAB -4 Web shell upload via extension blacklist bypass (Bug Bounty Prep)[by…

9 months ago 77
BOOK THIS SPACE FOR AD
ARTICLE AD

Click on Access the lab which will launch a website.

Login with given credentials.

Our Aim is to read content of /home/carlos/secret
For which, we will use this simple php code.

<?php echo file_get_contents('/home/carlos/secret'); ?>

This php code uses file_get_contents to read the content of file located at /home/carlos/secret which then echos the output.

Before uploading this php file, lets upload a random image, intercept the request to understand how webserver is working.

Make sure image option is checked on from filter section of HTTP History

I am uploading a random screenshot.png image.

Image successfully uploaded.

In the burpsuite, select the POST request to /my-account/avatar which is used to upload this image file, send this reques to repeater using CTRL + R

In the website, click on Back to my account. We can see, our uploaded image is successfully loaded.

Again in Burpsuite, select the GET request to /files/avatar/screenshot…… which is used to load the uploaded image.
Send this reques to repeater.

Now we know how the server is handling the request.
Lets upload our malicious .php file.

Upon uploading the php file, we can see there is some kind of sanitization or filter which is preventing us from uploading the php file.

In bursuite select the POST request and send to repeater.

Now comes the real deal. We need to bypass this filter so that we can upload the php file and get the content of secret file.

If we look closely in the previous request, we can see the server is Apache on Ubuntu OS.

So, to bypass the filter we will use .htaccess file

What is .htaccess file?

.htaccess files ) provide a way to make configuration changes on a per-directory basis. In other word, with the help of .htaccess file we can control various aspects of how a directory and its subdirectories behave.

The .htaccess file is powerful and can override some global server configurations without directly editing the main server configuration file

In this case we are going to upload simple .htaccess file with content

AddType application/x-httpd-php .shell

In the above snippet, the directive AddType application/x-httpd-php .shell tells the server to treat files with a .shell extension as PHP scripts.

Since we cannot upload .php file directly, we will make rule in directory such than the file with extension .shell is executed as PHP script.

For more info visit apache official documentation here.

In previous post request change.
1. filename to .htaccess
2. Content-Type to text/plain
3. And paste the above snippet AddType application/x-httpd-php .shell

Then send the request.
We can see response as file successfully uploaded.

Now lets upload our php file with .shell as extension

Change the request as:
1. Change filename to shell.shell
2. Content-Type to image/png
3. and paste the php code <?php echo file_get_contents(‘/home/carlos/secret’); ?>

We should see response saying file has been uploaded.

We are almost done, we have uploaded the malicious php file with .shell extension, we have uploaded .htaccess file telling to run .shell file as .php

Our final step is to execute or run this shell.shell file.

Remember the GET request we found earlier which was used to load the screenshot image.
We will use that same request, change the content and get the response.

Change the Get request to GET /files/avatar/shell.shell /HTTP/2
In the response section, we can see 200 OK with contents of secret echoed out.

Submitting this string, completes the lab.

Read Entire Article