Web Shell Upload via Extension Blacklist Bypass

Figure 1.1: This image shows the Portswigger Lab’s title “Web Shell Upload via Extension Blacklist Bypass” and instructions to solve the challenge.

Analysis:

1. Login using the provided user credentials such as wiener (username) and peter (password).

Figure 1.2: This image shows the “/my-account?id=wiener” page.

2. Check the File Upload parameter if there is a proper sanitation for extensions:

Figure 1.3: This image shows the selected malicious file for file upload parameter.

Figure 1.4: Response after uploading the PHP file.

It seems like server doesn’t allow PHP file.

Figure 1.5: The response in HTTP pretty format.

The server is an Apache/2.4.41

3. Search for possible vulnerabilities of the following Apache version.

Figure 1.6: The picture highlights vulnerability of Apache/2.4.41 in SSRF.

It also emphasizes that attacker can be able to craft HTTP request and trick the web server.

Figure 1.7: This image shows that Apache servers have directory-specific configuration file called, “.htaccess”; which allows developers to manipulate directory.

Since PHP file extension doesn’t allow by the server, let’s try another way to execute PHP file by allowing the server to execute PHP commands using ‘.l33t’ extension as shown below:

AddType application/x-httpd-php .l33t

4. Create a file named “.htaccess” then add the said configuration setting:

Figure 1.8: This image shows the changed POST request “/my-account/avatar” directive.

Figure 1.9: Response after sending the POST request containing the configuration file.

5. Send another response and use “.l33t” to execute PHP script and solve the lab:

<?php $file=fopen("/home/carlos/secret","r"); 
$content = fread($file, filesize("/home/carlos/secret")); 
echo $content; 
?>

Figure 2.0: Image shows the manipulated HTTP request to dump the contents of “/home/carlos/secret.”

6. After that, access the “/files/avatars/exploit.l33t” using Burpsuite:

Figure 2.1: Response after sending GET request for “/files/avatars/exploit.l33t”. This highlights the dumped content of the file “/home/carlos/secret.”

Recommendations:

1. Rename uploaded files: Generate a unique filename for each uploaded file to prevent malicious users from overwriting or accessing sensitive files on the server. Avoid using user-provided filenames directly.
2. Store files outside the web root: Save uploaded files in a directory located outside the web root, so they cannot be accessed directly through a URL. This helps prevent unauthorized access to the files.
3. Disable script execution: Configure the server to disable script execution in the upload directories. This prevents uploaded files with malicious code from being executed as scripts on the server.