Introduction
In this article, we will discuss file upload vulnerabilities and solve the PortSwigger Web Security Lab on remote code execution via polyglot web shell upload.
Lab Description
The lab contains a file upload function which is vulnerable to file upload vulnerability. The developer has added security to this file upload functionality. Whenever we upload a file, its content is checked to verify whether it’s an image file or not.
In this lab, we can still upload files and execute our code on the server-side. The task is to upload a PHP web shell and access the ‘/home/carlos/secret’ file to obtain the key and solve the lab in Remote code execution.
Lab Solution
We have already been provided with the credentials: username=wiener&password=peter, which we will use to log in. After logging in, we can see a file upload feature which we will test Remote code execution.
Firstly, we will upload a simple PHP file named ‘phpinfo.php’ as follows.
<?
php phpinfo();
?>
During the file upload process, I intercepted the request in Burp Suite and noticed that the server has applied restrictions to prevent us from uploading PHP files.
As you can see, I changed the file name from “phpinfo.php” to “phpinfo.jpg,” but it didn’t work. To save time, I won’t mention the other methods I tried, but you can refer to my previous article on file upload vulnerabilities Remote code execution.
Now, go to Google and search for “magic number image search.” Open the Wikipedia website.
First, search for JPEG and copy its magic characters.
Insert the magic characters at the beginning of your payload. Remember to use Burp Suite for this process. As you can see in the screenshot above, the server is not accepting our request and still thinks it’s a PHP file.
Next, search for GIF on the wiki website and copy its magic characters.
As you can see, the server accepted the GIF characters, and we were able to bypass its security measures by making it think that we uploaded an authentic image.
Now, let’s change the payload.
GIF89a
<?
php echo file_get_contents(‘/home/carlos/secret’)
?>
After uploading the file, you can see that we obtained the key.
Submit the key in the lab to solve it.