File upload vulnerabilities
https://portswigger.net/web-security/file-upload
Lab: Remote code execution via web shell upload
This lab contains a vulnerable image upload function. It doesn't perform any validation on the files users upload before storing them on the server's filesystem.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret.
My-account -> Login -> Upload Avatar
GET /files/avatars/data.php HTTP/1.1
Lab: Web shell upload via Content-Type restriction bypass
This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret.
My-account -> Login -> Upload Avatar
Error ->
Sorry, file type application/x-php is not allowed Only image/jpeg and image/png are allowed Sorry, there was an error uploading your file.
GET /files/avatars/data.php HTTP/1.1
Lab: Web shell upload via path traversal
This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret.
My-account -> Login -> Upload Avatar
GET /files/avatars/..%2fdata.php HTTP/1.1GET /files/data.php HTTP/1.1
Lab: Web shell upload via extension blacklist bypass
This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist.
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret.
My-account -> Login -> Upload Avatar
Error:
Sorry, php files are not allowed Sorry, there was an error uploading your file.
Intruder Attack -> Just php extension blocked, not others
GET /files/data.phtml HTTP/1.1
Lab: Web shell upload via obfuscated file extension
This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique.
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret.
My-account -> Login -> Upload Avatar
Error:
Sorry, only JPG & PNG files are allowed Sorry, there was an error uploading your file.
GET /files/avatars/data.php HTTP/1.1
Lab: Remote code execution via polyglot web shell upload
This lab contains a vulnerable image upload function. Although it checks the contents of the file to verify that it is a genuine image, it is still possible to upload and execute server-side code.
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret.
My-account -> Login -> Upload Avatar
Error:
Error: file is not a valid image Sorry, there was an error uploading your file.
GET /files/avatars/data.php HTTP/1.1
Lab: Web shell upload via race condition
This lab contains a vulnerable image upload function. Although it performs robust validation on any files that are uploaded, it is possible to bypass this validation entirely by exploiting a race condition in the way it processes them.
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret.
We took advantage of altgorithm's processing time.
Turbo Intruder ->
Attack -> The answer is in the HTTP 200 response.
Last updated