Web shell upload via race condition

Web shell upload via race condition | Web Security

Introduction

So, guys, this is our last (7th) article on file upload vulnerabilities. Today, we will solve the Web shell upload via race condition lab.

Web shell upload via race condition
Lab Description

In this lab, we have an image upload function with robust validation that is harder compared to previous labs. However, we can still exploit it using a race condition of Web shell upload via race condition Web Security.

To solve this lab, we need to upload a basic PHP web shell that allows us to access a subdirectory in the home directory named “carlos”. Inside that directory, there is a file named “secret” that we need to access to get the key.

We have already been provided with the credentials: username=wiener and password=peter.

Web shell upload via race condition

First, we will log in to the lab. After logging in, we will attempt to upload a file named “phpinfo.php”. When we upload the file, we will intercept it using Burp Suite.

As you can see, the lab does not allow us to upload PHP files due to security measures in place.

First, we will use the repeater tab in Burp Suite to send the request and then save the entire history. You can see that the “filename” parameter has been changed to “p.php”.

Send Request to Turbo Intruder

Web shell upload via race condition

Now, we will send this request to the Turbo Intruder tool in Burp Suite. Before sending the request, we will add a space after the payload.

Web shell upload via race condition

As you can see in Turbo Intruder, we have added a “%” sign after the payload. This is what caused the space to be added in the request.

Select the “examples/race.py” option from the Turbo Intruder tool.

Web shell upload via race condition

Set the current connection and race value to 100. After that, click on the “Start Attack” button to begin the attack.

In Turbo Intruder, you may see a null value at position 19 in the response. To verify this, please check the “p.php” request in your browser.

As you can see, the PHP info file has been uploaded successfully.

Now, we will add our payload to the PHP Info request. Here is the payload we will use

?php

echo file_contents('/home/carlos/secrect');

?>

Send this request to Turbo Intruder.

Add a “%” sign before your payload and then click on the “Start Attack” button to begin the attack.

After clicking on the “Start Attack” button, you may receive a null request. Please view this request in your browser.

After refreshing the page, you should be able to obtain the key.

Once you have obtained the key, submit it in the lab to solve it.

Leave a Comment