In this article, we will cover Web shell upload via obfuscated file extension. This is the 5th part of our file upload vulnerabilities series.
Lab description
In this lab, we have a vulnerability in the image upload function. The developer has set up a firewall on the backend that blocks all file extensions except for image extensions. We will bypass this security by using classic obfuscation techniques Web shell upload via obfuscated file.
To solve the lab, we need to upload a PHP web shell and fetch the /home/carlos/secret file from the server using the shell. We will then use a key to solve the lab. The lab credentials have already been provided: username=wiener and password=peter.
Stepwise Solving the lab
First, we log in to the lab using the provided username and password.
We attempt to upload a simple PHP file named phpinfo.php Web shell upload via obfuscated file.
While uploading the file, we enable our Burp proxy and intercept the request. We then use the repeater to send the request to the lab.
We can only upload JPG and PNG files in the browser. We attempt to bypass this security and upload our web shell upload via obfuscated file.
We first try to bypass security by using a double extension, such as phpinfo.jpg.php, but the server does not allow it.
When we modify the extension, we successfully bypass the security. We use filename=”exploit.php%00.jpg” to upload the file. We can also use null byte injection, as ChatGPT explained to me.
If you have any confusion, you can ask your query to ChatGPT, and it will provide you with a proper explanation. For example, ChatGPT told me that you are using a technique called null byte injection.
After successfully uploading the file, we try to access it but the server blocks us. We try using different extensions but are unsuccessful.
Finally, we use our original payload, which is a null byte injection payload with the filename=”exploit.php%00.jpg”. We access the secret file and retrieve the key.
Our file has been successfully uploaded. Remember, whenever you access your modified request in the browser, try to access it with both single and double extensions.
<?php echo file_get_contents('/home/carlos/secret'); ?>
Now, we will use our original payload to access the secret file.
As you can see, I have added my payload, which is a web shell, to the body of the PHP. After forwarding the request, we will view the results in the browser.
We submit the key to solve the lab.
We have successfully solved the lab.