“A directory to which user-supplied files are uploaded will likely have much stricter controls than other locations on the filesystem that are assumed to be out of reach for end users. If you can find a way to upload a script to a different directory that’s not supposed to contain user-supplied files, the server may execute your script after all.”
Lab Descriptions:This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability i.e. path traversal.To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.You can log in to your own account using the following credentials: wiener:peter
Steps:
- Access the lab
- Log in to the application using the credentials wiener: peter
- You can see that there is an image upload functionality
4. Click on the browse button.
5. Click on the webshell.php that was used in the previous labs
i.e. <?php echo file_get_contents(‘/home/carlos/secret’); ?>6. turn on intercept in Burp Suite
7. Click on the Upload button
8. The request will be intercepted.
9. Send the request to the repeater tab(Ctrl+R)
10. forward the request without any modification, you’ll notice that the file gets uploaded successfully. That means it has no issues with the PHP extension.
11. Forward the request from the proxy-intercept tab
in the browser you’ll get the following message
12. Turn the intercept off.
13. Click on “Back to My Account”
14. View Page Source and click on the <img src =”…”> link
15. On clicking the link you will see that the content of the webshell.php is displayed instead of the content of /home/carlos/secret.
This means that the application not executing our PHP script. :\
16. Let’s try to upload the file in a different directory.
As a directory to which user-supplied files are uploaded will likely have much stricter controls
for example the tmp folder :
The normal settings for /tmp are 1777, which ls shows as drwxrwxrwt
Therefore any user can execute the file in this directory.
17. Again let's try to upload the same web shell file but to a different directory. Intercept the request and send it to the repeater
18. Repeater:
In the Request, let's move one directory back by changing the filename parameter to “../webshell.php”
19. Forward the request and in the response, you can see that the file is still uploaded to avatars/webshell.php which means that the application is somehow filtering the “/”
20. Lets try to URL encode it : “/” -> “%2F”
Replace / to %2F in the request parameter
21. Forward the request and now we can see that the file is uploaded to avatars/../webshell.php.
22. Copy the request from the repeater to the proxy tab and forward it. Then Turn the intercept off, In the Browser, the following message is displayed
23. Go Back to the main page and view the source code
24. Click on the img src link and retrieve the secret & Submit it.
Bonus:
Retrieving Secret using another PHP script.
Do the above steps, just change the script to:
<?php
$output = shell_exec(‘cat /home/carlos/secret’);
echo “<pre>$output</pre>”;
?>The shell_exec() function is similar to exec(), however, it outputs the entire result as a string.
Other scripts can be created on the same line using various commands like exec.
Refer to this article for more commands :
I hope you enjoyed reading this article!!
