.png)
17 hours ago
8 BOOK THIS SPACE FOR AD
ARTICLE AD
In today’s Pentesting Methodology Lab Walkthrough at the Cybersec Cafe, I’ll be approaching a File Upload Vulnerability and detailing my step-by-step methodology through to exploitation. These writeups are from controlled environment to explain my methodology in order to help you learn how to test applications yourself.
Upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret
We will need to upload two different files to solve this lab.
A file upload vulnerability occurs when an application allows users to upload files without properly validating or restricting the file types and content. Attackers can exploit this flaw by uploading malicious files, such as scripts or executables, which can lead to unauthorized code execution or compromise of the server.
If you enjoy this article and want to be the first to see more like it, consider subscribing to my newsletter, the Cybersec Cafe, for free. I post content there first, and here second. Plus, you’ll get it straight to your inbox.
My goal is to deliver you value in various cybersecurity topics each week and to become your ultimate destination for expanding your expertise or for any aspiring cybersecurity professionals to break into the field.
Want to give the lab a try yourself and follow along? You can check it out on PortSwigger’s website here for free.
We’re met with a standard blog application — one that we’ve seen many times while attacking labs in this series.
But, what’s different this time around?
In the blog post comment section, we have the ability to upload a user avatar with our comment.
Let’s go ahead and upload an image and send a test comment to capture.
Now, let’s go ahead and login to our test account.
We can see we’re met with a familiar email update feature, but also with an Avatar upload feature.
Let’s also submit a file to upload our avatar here to capture the request.
Make sure the image size is small enough, otherwise the application will error out. Our goal is to capture the request and be met with a success message that the file has been uploaded.
Now, navigate to your Burp instance and find both the GET and POST request under my-account/avatar. Send both requests to the Repeater.
Now, open up your CMD line and create a file called exploit.php.
You can run the command touch exploit.php to create the file, then nano exploit.php to edit it. Or, use a text editor of your choice.
Add the following PHP paylod to your exploit file:
<?php echo file_get_contents(‘/home/carlos/secret’); ?>
This file will find the contents of our secret file and print the out using the echo command.
Let’s try to upload it.
Oh no… there is an error uploading the file. It loks like the application blocks uploading of PHP files.
There must be reasoning to this…
Let’s take a look at the POST request used to upload the file for clues. Specifically, the Response:
We can see we’re communicating with an Apache server, which has some protections in place to block this filetype.
There may be something here…
Upload the PHP file again, but this time, intercept the request instead of forwarding it, send it to the Repeater.
Make the following changes:
Change the filename parameter to .htaccessChang the Content-Type to text/plainReplace the contents of the file with the following Apache directive: AddType application/x-httpd-php .cybersecThis will map an arbitrary extension (.cybersec in this case) to the executable MIME type application/x-httpd-phpGo ahead and send this, and see that we’re met with a 200 response — verifying the file has been uploaded successfully.
Now, use the back arrow in Repeater to change back to the original request for uploading your PHP exploit.
Now, change our filename to exploit.cybersec (or, whatever arbitrary extension you created).
We can see the file was now uploaded successfully!
Now navigate back to your account in the GUI and refresh the page. This will trigger the retrieval of our new exploit avatar file.
Navigate over to your HTTP History under the Burp Proxy tab, and you can see the GET request used to retrieve the image:
Inside, we can see we retrieved the secret string. Take this and submit it to solve the lab!
File uploads are potentially dangerous features in web applications. If proper protections are not in place to filter out malicious types, attackers can potentially compromise your users or your entire application. Use a service you trust when building web apps to handle file uploads.
—
Remember: The Cybersec Café gets articles first. Subscribe for free here.
Interested in getting into Cybersecurity? I have a course called the Security Sip. The curriculum is designed to help you build skills progressively over 12 sections, 85 modules, and 155 exercises. With rapidly evolving threats and technologies widening the skill gap, it’s time to secure your future in cybersecurity. Available Now!
Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X. Can’t wait to keep sharing and learning together!
Bengali (Bangladesh) · 
English (United States) ·