PortSwigger Lab: Web shell upload via Content-Type restriction bypass | WalkThrough

Introduction

Hello everyone, in this post I am going to share the writeup of PortSwigger Lab( Web shell upload via Content-Type restriction bypass) . After signing in wiener account we will see a avatar upload function which is not allowing application/x-php file. After changing the content type, we can upload our web-shell and can have code execution on the machine. Further we can read the content of /home/carlos/secret and can solve this lab.

Objective

This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Detection

Login with the given credentials wiener:peter .

Under My Account section there is a Avatar upload function . we will upload a php web-shell in this field . Before sending the exploit code lets send this php code first.

<?php
phpinfo();
?>

As we can see the website is not allowing application/x-php content type so we need to change the content type to either image/png or image/jpeg .

The file has been successfully uploaded . To access the file right click on wiener’s profile photo and click on view image.

Exploitation

Now lets send the exploit php code .

<?php
system("cat /home/carlos/secret");
?>

We now have successful RCE on the machine . Now submit this secret to solve the lab.