PortSwigger — LAB-5 Web shell upload via obfuscated file extension (Bug Bounty Prep)[by…

9 months ago 82
BOOK THIS SPACE FOR AD
ARTICLE AD

Login with given credentials.

Our Aim is to read content of /home/carlos/secret
For which, we will use this simple php code.

<?php echo file_get_contents('/home/carlos/secret'); ?>

This php code uses file_get_contents to read the content of file located at /home/carlos/secret which then echos the output.

Before uploading this php file, lets upload a random image, intercept the request to understand how webserver is working.

Make sure image option is checked on from filter section of HTTP History

Image successfully uploaded.

In the burpsuite, select the POST request to /my-account/avatar which is used to upload this image file, send this reques to repeater using CTRL + R

In the website, click on Back to my account. We can see, our uploaded image is successfully loaded

Again in Burpsuite, select the GET request to /files/avatar/screenshot…… which is used to load the uploaded image.
Send this reques to repeater.

Now we know how the server is handling the request.
Lets upload our malicious .php file.

Upon uploading the php file, we can see there is some kind of sanitization or filter which is preventing us from uploading the php file.

In bursuite select the POST request and send to repeater.

Now comes the real deal. We need to bypass this filter so that we can upload the php file and get the content of secret file.

To bypass the filter we will use %00 (null byte).
When a file is named shell.php%00.jpg, some servers might interpret it as a PHP file (shell.php) rather than a JPEG image (shell.php.jpg)

Looking at the response we can confirm, php file is successfully uploaded.

Read Entire Article