Self Notes: Web Security Academy File upload vulnerabilities Lab 5
(In the name of Allah, the most gracious, the most merciful) بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيم
In this post, we continue with exploiting the labs on file upload vulnerabilities from PortSwigger. Lab 5 is also a practitioner-level difficulty.
Task: This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique.
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
Just like the previous post, we need to upload a web shell and exfiltrate Carlos' secret, but in this case, we are dealing with a filter bypass. Let's play around with the upload request and find out:
Above we upload a normal jpeg and we got the following response:
The file was uploaded successfully, I also tested the functionality for PNG and it worked fine. Considering the experience from my previous post, let's start simple. Let's attempt to upload a PHP web shell as if there were no defenses in place.
We obtain the following response:
Only PNG and JPG are allowed, we've seen that already but let's see if that's true. First, let's see if the filter is case sensitive:
mixed case extension doesn't cause any problem and we can confirm that the filter is not normalizing our extension. Next, I systematically test the filter with various bypass methods, at each step observing the response from the server and making inferences. The following behaviors were observed:
- We can upload normal jpg and png
- It accepts both uppercase and lowercase without changing the case for both jpg and png.
- It does not differentiate between jpg and png.
- It accepts double extensions e.g pain.sql.png.
- Normally it rejects .pngs or .spng, so most likely it's checking the whole extension.
- It rejects double extension when the extension doesn't end with png or jpg e.g pain2.png.sql.
- It does not seem to be black listing keywords e.g .php
- It does not check the file contents, just the extension, it seems to be accepting a PHP script as long as it ends with JPG or PNG.
- Single URL encoding does not raise an error, basically, URL encoded values are decoded.
It seems the extension is being validated correctly, so let's try a null-byte bypass:
And we got the following response:
It seems our null-byte was processed and it has terminated the remaining part of the extension, so we've successfully uploaded a shell. So all that is left is to exfiltrate Carlos' secret.
Response:
We obtain the token and submit it. Lab solved.
That will be all, see you in the next post.
Comments
Post a Comment