Web shell upload via Content-Type restriction bypass
Description
This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.
Reproduction and proof of concept
Log in and upload an image as your avatar, then go back to your account page.
In Burp, go to Proxy -> HTTP history and notice that your image was fetched using a
GET
request to/files/avatars/<YOUR-IMAGE>
. Send this request to Burp Repeater.On your system, create a file called
exploit.php
, containing a script for fetching the contents of Carlos’s secret. For example:
<?php echo file_get_contents('/home/carlos/secret'); ?>
Attempt to upload this script as your avatar.
Sorry, file type application/x-php is not allowed Only image/jpeg and image/png are allowed Sorry, there was an error uploading your file.
� Back to My Account
The response indicates that you are only allowed to upload files with the MIME type image/jpeg
or image/png
.
In Burp, go back to the proxy history and find the
POST /my-account/avatar
request that was used to submit the file upload. Send this to Burp Repeater.In Burp Repeater, go to the tab containing the
POST /my-account/avatar
request. In the part of the message body related to your file, change the specifiedContent-Type
toimage/jpeg
.Send the request.
The response indicates that your file was successfully uploaded.
Switch to the other Repeater tab containing the
GET /files/avatars/<YOUR-IMAGE>
request. In the path, replace the name of your image file withexploit.php
and send the request. Observe that Carlos’s secret was returned in the response.Submit the secret to solve the lab.
Exploitability
An attacker will need to log in to wiener:peter
; upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret
; and then enter this secret using the button provided in the lab banner.