PortSwigger Lab: Web shell upload via path traversal | WalkThrough
Introduction
Hello everyone , in this post I will be showing the writeup of BurpSuite Lab (Web shell upload via path traversal) . After signin in we can see a avatar upload function , here we are going to upload a php webshell . The default folder where avatars are being kept has php_flag engine off in .htaccess file. Then we will apply LFI vulnerability with file upload vulnerability to bypass it and complete this lab.
Target
This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret
. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
Detection
Login with the credentials given to us.
After login we can see a avatar upload function lets try to upload some php web shells.
Kali already has web-shells and here I am going to use qsd-php web-shell .
There are other builtin web- shells also u can see full list here.
right click on the image the click on view image.
It looks like php is not working as intended.
Lets try to use another web-shell [wwwolf-php-shell].
Exploitation
May be we can put our web-shell in some other folder .
/images directory
Result : Failed
on /home directory
It has been uploaded but we can not access that file. But what we can see here is a LFI vulnerability.
Result : Failed
/files directory
yesss!! , it worked.
But the problem is the commands are not working here maybe we can upload a file that already execute php commands .
and it worked.
submit that secret to complete that lab.
Now lets see why our php code was getting blocked.
Code — Analysis
- .htaccess file is blocking our php code from working as intended. u can read more about this here.