This lab was very similar to the last one. It was straightforward but still good practice since I have a hard time remembering things I’ve learned. Repetition is always helpful for learning.
Lab: Web shell upload via Content-Type restriction bypass
this lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this. To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit the secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener:peter
Just like the previous lab, I uploaded an arbitrary cat image file for Burp Suite to intercept the request.
As you can see from the screenshot above, it specifies the name, filename, Content-Type, and many more information of the file we are trying to upload.
I replaced the filename to exploit.php, Content-Type to application/x-php, and the whole PNG strings with the php webshell code.
1<?php echo file_get_contents('/home/carlos/secret'); ?>
This is the respond I got from the request with replaced values.
Sorry, file type application/x-php is not allowed only image/jpeg and image/png are allowed
This is a pretty easy fix, all I had to do was replace the Content-Type value back with image/png
Tada! we got the status code 200 and message saying the file has been successfully uploaded.
When I went back to the account page, I saw this broken image icon just right above the Upload button.
Right click on it and select Open image in new tab, and we are prompted with the secret message that we were looking for. Also, notice the URL is the path where our uploaded file is stored in.
Click on the Submit solution button and entered our secret message.
Lab solved!