Self Notes: Web Security Academy File upload vulnerabilities Lab 5

(In the name of Allah, the most gracious, the most merciful)    بِسْمِ اللَّهِ الرَّحْمَنِ الرَّحِيم

In this post, we continue with exploiting the labs on file upload vulnerabilities from PortSwigger. Lab 5 is also a practitioner-level difficulty.

TaskThis lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed using a classic obfuscation technique.

To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Just like the previous post, we need to upload a web shell and exfiltrate Carlos' secret, but in this case, we are dealing with a filter bypass. Let's play around with the upload request and find out:


Above we upload a normal jpeg and we got the following response:


The file was uploaded successfully, I also tested the functionality for PNG and it worked fine. Considering the experience from my previous post, let's start simple. Let's attempt to upload a PHP web shell as if there were no defenses in place.


We obtain the following response:


Only PNG and JPG are allowed, we've seen that already but let's see if that's true. First, let's see if the filter is case sensitive:



mixed case extension doesn't cause any problem and we can confirm that the filter is not normalizing our extension. Next, I systematically test the filter with various bypass methods, at each step observing the response from the server and making inferences. The following behaviors were observed:

  • We can upload normal jpg and png
  • It accepts both uppercase and lowercase without changing the case for both jpg and png.
  • It does not differentiate between jpg and png.
  • It accepts double extensions e.g pain.sql.png.
  • Normally it rejects .pngs or .spng, so most likely it's checking the whole extension.
  • It rejects double extension when the extension doesn't end with png or jpg e.g pain2.png.sql.
  • It does not seem to be black listing keywords e.g .php
  • It does not check the file contents, just the extension, it seems to be accepting a PHP script as long as it ends with JPG or PNG.
  • Single URL encoding does not raise an error, basically, URL encoded values are decoded.

It seems the extension is being validated correctly, so let's try a null-byte bypass:


And we got the following response:


It seems our null-byte was processed and it has terminated the remaining part of the extension, so we've successfully uploaded a shell. So all that is left is to exfiltrate Carlos' secret.


Response:


We obtain the token and submit it. Lab solved.


That will be all, see you in the next post.



Comments

Popular posts from this blog

Before You Dive In...

OverTheWire: Bandit Lab

SSRF Notes: PortSwigger Labs Continued