This is our 4th article on File Upload Vulnerabilities. Today we will learn(File upload vulnerabilities: Web shell upload via extension blacklist bypass) how to upload a web shell through the file upload functionality. In the lab description, we were told that the file upload function of this lab is vulnerable, but the developer has blacklisted certain extensions. However, the developer did not properly blacklist the extensions, which is why there is a flaw in this function for Web shell upload via extension blacklist bypass.
We will upload a simple file named “phpinfo.php” here and intercept it in BurpSuite. After intercepting, we will send it to the “Repeater” tab.
This is a post-based request and you can clearly see that the server is not allowing us to upload .php files.
I have also tried using a double extension like phpinfo.jpg.php, but the server is still blocking me in Web shell upload via extension blacklist bypass.
Now, I have successfully uploaded a file with a “.phtml” extension based on file upload vulnerability.
When I checked in the browser, I was able to successfully access the phpinfo file. Now it’s time for me to access the /home/carlos/secret file and get the key using the following payload.
<?php echo file_get_contents('/home/carlos/secret'); ?>
With the help of this payload, I will be able to access that file.
I have uploaded the file to the server.
You can check out that finally I have received the key so. Now I will submit this key in this lab and then solve it.
After submitting the required key then the lab will start working conjurations to every one on this success.
To continue studying check out the next lab i.e. Web Shell Upload Via Obfuscated File Extension, cover the current lab before visiting the next lab. Good Luck!