Port Swigger File Upload Vulnerability-Lab 2

source — freepik.com

CONTENT-TYPE VALIDATION : Content-Type validation is when the server validate the content of the file by checking the MIME type of the file, which can be shown in the http request.

CONTENT-TYPE BYPASS: This type of validation can be bypassed by keeping the file name for example to “shell.php” or “shell.aspx” but changing the “Content-Type” parameter as “image/ *” Content-Type. Such as “image/png”, “image/jpeg”, and “image/gif”.

Lab 2
Exploiting flawed validation of file uploads
Web shell upload via Content-Type restriction bypass

“One way that websites may attempt to validate file uploads is to check that this input-specific Content-Type header matches an expected MIME type. If the server is only expecting image files, for example, it may only allow types like image/jpeg and image/png. Problems can arise when the value of this header is implicitly trusted by the server. If no further validation is performed to check whether the contents of the file actually match the supposed MIME type, this defense can be easily bypassed using tools like Burp Repeater.

Lab Description 
This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.You can log in to your own account using the following credentials: wiener:peter

Steps:

  1. Access the lab
  2. Log in to the application using the credentials wiener: peter
  3. You can see that there is an image upload functionality

4. Click on Browse Button and use the webshell from the previous lab.
Or create one simply by opening text editor and typing

<?php echo file_get_contents(‘/home/carlos/secret’); ?>

5. Open Burp Suite and turn the intercept on {proxy — intercept on}

6. After turning on the intercept go to the web application click on browse and choose webshell.php

7. click on the Upload button

8. The request will be intercepted in the Burp suite

9. Send it to Repeater

10. Now if you forward the request in repeater it will show 403 forbidden. The web application is validating the content-type and is not accepting PHP type files

11. Try changing the Content-Type to image/jpeg or similar extensions like image/png which are usually accepted.

For more common used content types have a look at

Possible values for HTTP “Content-Type” header

Here, you can see that even when the extension of the file is PHP, it is still getting uploaded after changing the content-type to image/jpeg. It indicates that the web application is only validating the Content-Type Parameter.

12. in the proxy->Intecept tab make the changes similar to step 11 and forward the request

13. Turn the Intercept off, click on “Back to My Account” and view the page source code.

14. Click on the <img src> link, retrieve the secret, and finally submit it.

I hope you enjoyed reading this article!

--

--

--

Content Creator

Recommended from Medium

The Relationship Between Biometric Data and Mobile ID

The Security of Zard

No Rate Limit at Reset Password Endpoint can Lead to account takeover (APPLE CORP)

{UPDATE} :) Sudoku + Hack Free Resources Generator

The Quest of IoT Architects to Build Digital Identity for Machines

The Importance of Sanitization

Yellow Submarine: A Technical Deep Dive (part 1)

Github support for password authentication was removed. What to do next?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
br4ind3ad

br4ind3ad

Content Creator

More from Medium

Leviathan — OverTheWire Wargame — Writeup

HACK THE BOX — PAPER WALKTHROUGH

[Hack The Box] Developer — Walkthrough

Gallery THM Walkthrough