Solving Portswigger Academy: Web shell upload via extension blacklist bypass

In this lab we need to exploit the file upload issue and read the contents of secret file Carlos’ home directory.

Access the lab and login with the provided credentials.You will notice the file upload functionality.

Let’s try to upload the php file.It says Forbidden, we are not allowed to upload the php file.

When I changed the extension to php5 it got uploaded.

php5 file extension

But when we sent GET request to the file, it is not executed.To solve this issue, let’s check if we can upload the apache2.conf file with the contents:

LoadModule php_module /usr/lib/apache2/modules/libphp.so
AddType application/x-httpd-php .php5

Able to upload the .conf file.

Now lets re-upload the php5 file.But again it did not work. Let’s upload the .htaccess file with below contents which allow php5 exetnsion execution

AddType application/x-httpd-php .php5

Uploading .htaccess

Let’s re-upload the php5 file and see if server executes it.

php5 file uploaded

php5 code executed

Now we need to upload the php code that read the secret file.

Able to read the contents of the file.