Solving Portswigger Academy: Web shell upload via Content-Type restriction bypass

In this lab, the application trust the Content-Type header which is not and does not check the file type.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

Access the lab and login into it using provided username and password. You will see the similar functionality which we saw in previous lab.

Start intercepting proxy and let’s try to upload the same php shell we uploaded in previous lab.

This time we saw a forbidden message.

So some filter is working which is not allowing us to upload the .php file. When we check the request to the file upload the Content-type of the request is application/x-php. Let’s change it to image/png and send the request again.

This time we are able to upload the php file.

Send the GET request to ‘/files/avatars/my_php_file.php’ and we noticed it shows PAWNED!!.

Now modify the request to read the secret file.

Access the php file and get the secret file submit the contents in the solution box.

The issue here is the application trust Content-type header and does not check for the contents of the file. The content type header can easily be modified by the user.