Web shell upload via path traversal

Description

This lab contains a vulnerable image upload function. The server is configured to prevent execution of user-supplied files, but this restriction can be bypassed by exploiting a secondary vulnerability.

Reproduction and proof of concept

  1. Log in and upload an image as your avatar, then go back to your account page.

  2. In Burp, go to Proxy -> HTTP history and notice that your image was fetched using a GET request to /files/avatars/<YOUR-IMAGE>. Send this request to Burp Repeater.

  3. On your system, create a file called exploit.php, containing a script for fetching the contents of Carlos’s secret. For example:

<?php echo file_get_contents('/home/carlos/secret'); ?>
  1. Upload this script as your avatar. Notice that the website doesn’t seem to prevent you from uploading PHP files.

  2. In Burp Repeater, go to the tab containing the GET /files/avatars/<YOUR-IMAGE> request. In the path, replace the name of your image file with exploit.php and send the request. Observe that instead of executing the script and returning the output, the server has just returned the contents of the PHP file as plain text.

  3. In Burp’s proxy history, find the POST /my-account/avatar request that was used to submit the file upload and send it to Burp Repeater.

  4. In Burp Repeater, go to the tab containing the POST /my-account/avatar request and find the part of the request body that relates to your PHP file. In the Content-Disposition header, change the filename to include a directory traversal sequence:

Content-Disposition: form-data; name="avatar"; filename="../exploit.php"
  1. Send the request. Notice that the response says The file avatars/exploit.php has been uploaded. This suggests that the server is stripping the directory traversal sequence from the file name.

  2. Obfuscate the directory traversal sequence by URL encoding the forward slash (/) character, resulting in:

filename="..%2fexploit.php"
  1. Send the request.

File upload

The message now says The file avatars/../exploit.php has been uploaded. This indicates that the file name is being URL decoded by the server.

  1. In the browser, go back to the account page.

  2. In Burp’s proxy history, find the GET /files/avatars/..%2fexploit.php request. This gives a 404 response. But you can request this file using GET /files/exploit.php.

File upload

  1. Submit the secret to solve the lab.

Exploitability

An attacker will need to log in; upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret; and then enter this secret using the button provided in the lab banner.