Port Swigger File Upload Vulnerability-Lab 4

Read this Amazing blog:

[WEB] Bypass file upload filter with .htaccess

What exactly is .htaccess in Apache?

Apache .htaccess files allow users to configure directories of the web server they control without modifying the main configuration file.

if .htaccess contains this content:

AddType application/x-httpd-php .php16
#It means that all files with an extension php16 will execute php

To learn more about it:

Apache Configuration: .htaccess - Learn web development | MDN

Lab 4
Insufficient blacklisting of dangerous file types
Web shell upload via extension blacklist bypass

Lab Description:
This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist.
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter

Steps:

1. Access the lab
2. Log into the application using the credentials wiener: peter
3. You can see that there is an image upload functionality
4. Try to upload a basic web shell in PHP.

[In Burp : intercept the request → send to repeater ]

You can see that that web application doesn’t accept a php file.

5.

Now: “the current goal is to have the possibility to execute php code in other file than .php. You can do the trick with .htaccess.”

If you create a .htaccess file it will be treated as hidden

In Unix-like operating systems, any file or folder that starts with a dot character (for example, /home/user/. config), commonly called a dot file or dotfile, is to be treated as hidden — that is, the ls command does not display them unless the -a or -A flags ( ls -a or ls -A ) are used.

Therefore let's upload any file and intercept the request and change the filename and the content of the file to .htaccess and AddType application/x-httpd-php .php16 respectively.

Here the php16 is an arbitrary extension, you can put anything in place of php16

#It means that all files with an extension php16 will execute php

Also, change the content type to text/plain which is the default for textual files. Even if it really means "unknown textual file," browsers assume they can display it.

In the response, the .htaccess file gets uploaded successfully.

6. Send the request from the proxy tab, you’ll see the following in the browser window.

7. Now try to upload a simple webshell with an extension of php16. You can also change the extension in the filename parameter while intercepting the request.

8. Upload the webshell.php16

9. click on “Back to My Account”

10. View page source. Click on the img src link and retrieve the secret.

Hope you enjoyed reading!