Port Swigger File Upload Vulnerability-Lab 1

source — freepik.com

Definition:
File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size.

LAB 1
Exploiting unrestricted file uploads to deploy a web shell
Remote code execution via web shell upload

Lab description:This lab contains a vulnerable image upload function. It doesn't perform any validation on the files users upload before storing them on the server's filesystem.To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.You can log in to your own account using the following credentials: wiener:peter

Steps:

  1. Access the lab
  2. log in to the application using the credentials wiener: peter
  3. You can see the that there is a image upload functionality

4. Open any text editor to create a basic PHP web shell and save it. let’s keep the name webshell.php

 <?php echo file_get_contents(‘/home/carlos/secret’); ?>

This web shell will echo the content of the secret file stored in the location /home/carlos

5. Open Burp Suite and turn the intercept on {proxy — intercept on}

6. Make sure that you have installed extensions like foxy proxy to easily switch between proxies or you have manually taken care of it in the preference setting

7. After turning on the intercept go to the web application click on browse and choose webshell.php

8. click on the Upload button

9. The request will be intercepted in Burp suite

10. Send the request to repeater(press Ctrl+R)

11. In the repeater tab check the response of the request by forwarding the request

12. The response shows 200 OK and the file avatars/webshell.php has been uploaded. Note that the web application is not restricting the upload of PHP file.

13. Forward the request from the intercept tab.

14. Turn of the Intercpt. Click on “ Back to My Account”

15. View Page Source, scroll down

16. Click on the Link /files/avatars/webshell.php and retrieve the secret

17. Submit it

Key Takeaways from the Lab:

No validation is done by the web application, Hence we are able to upload a malicious web shell

Impact :
read and write arbitrary files, exfiltrate sensitive data, even use the server to pivot attacks against both internal infrastructure and other servers outside the network.

I hope you enjoyed reading this article!

--

--

--

Content Creator

Recommended from Medium

FEATURE EARNING -(Airdrop claim list)

Chunkbase : How To FIND CHUNK BORDERS Tutorial! 10 Simple & Easy Ways! Minecraft Bedrock Edition

Disaster Recovery vs. Backups — What’s the Difference?

What If Google Should Create A Malware That Randomly Deletes Passwords?

Optimising Flutter CI by caching packages

Building a Delta Robot Dash app

Let's talk about OOPS!

Asp Net Core 5 Rest API Authentication with JWT Step by Step

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
br4ind3ad

br4ind3ad

Content Creator

More from Medium

BITS PERSISTENCE FOR SCRIPT KIDDIES — TrustedSec

We Need To Know Session Hijacking

Learning binary exploitation — 4

OverTheWire:~$ Bandit Level 4 → 5