PortSwigger Lab: Web shell upload via Content-Type restriction bypass | WalkThrough
Introduction
Hello everyone, in this post I am going to share the writeup of PortSwigger Lab( Web shell upload via Content-Type restriction bypass) . After signing in wiener account we will see a avatar upload function which is not allowing application/x-php file. After changing the content type, we can upload our web-shell and can have code execution on the machine. Further we can read the content of /home/carlos/secret
and can solve this lab.
Objective
This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret
. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
Detection
Login with the given credentials wiener:peter .
Under My Account section there is a Avatar upload function . we will upload a php web-shell in this field . Before sending the exploit code lets send this php code first.
<?phpphpinfo();?>
As we can see the website is not allowing application/x-php content type so we need to change the content type to either image/png or image/jpeg .
The file has been successfully uploaded . To access the file right click on wiener’s profile photo and click on view image.
Exploitation
Now lets send the exploit php code .
<?php
system("cat /home/carlos/secret");
?>
We now have successful RCE on the machine . Now submit this secret to solve the lab.