Solving Portswigger Academy: Remote code execution via web shell upload
In this lab we are going to exploit the vulnerable image upload function and upload the php web shell on the server.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file
/home/carlos/secret. Submit this secret using the button provided in the lab banner.
Let’s access the lab and login with provided credentials.Once login we can see a file upload functionality where we can upload image.
Let’s start intercepting the requests and responses using intercepting proxy.We can see the below request and response
It says file uploaded successfully.
Now let’s try to upload the .php file with simple echo command.I have created below php file
Let’s upload it and see how it works.
Our php file uploaded.On the page we can see the broken image.But when I checked history there is a GET request to /files/avatars/my_php_file.php and in response I saw Hello World!
This confirms we can execute command through php file on server.Let’s use file_get_contents() in php to read the file in Carlos’ home directory. Send the file upload request to the repeater and modify it.
Let’s send GET request to /files/avatars/read_secret.php and we are able to read the secret.
Submit above string in the solution box and you are able to solve the lab.
In this issue, the web application does not validate the uploaded file and it accepts php files to be uploaded on server and execute it.
