PortSwigger Lab: Web shell upload via extension blacklist bypass
Task
This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist.
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
Attempt
After logging into the account with the given credentials, I found an avatar upload function. I uploaded a file webshell.php but got rejected, ‘php file are not allowed’.
The payload:
<?php system($_GET['cmd']); ?>
From the captured requests and response, I got the below info:
Server: Apache/2.4.41 (Ubuntu).
Has a CSRF token.
The file was sent with Content-Type: application/x-php.
Sent the response to Repeater and changed the file name into ‘webshell.php.jpg’ (double extension) and changed the content type to image/jepg (MIME type spoofing). The file was successfully uploaded, but didn’t work as a php file.
Since it used Apache (and the task explicitly instructs to upload two files), I rewrote the payload and checked if the server executes .htaccess tricks:
AddType application/x-httpd-php .jpg
Set the file name to .htaccess and the content type to text/plain. This forces Apache to treat .jpg files as PHP scripts.
Then tried the double extension attack again. Accessed https://ID.web-security-academy.net/files/avatars/webshell.php.jpg and sent the query ?cmd=cat+/home/carlos/secret. Got the flag.
Mitigation
Use stronger validation like whitelist. Also set the proper file permission to .htaccess.