Web shell upload via obfuscated file extension
In this blog I will explain how to obfuscate file extensions that are black listed by the application server and upload malicious php script. We will consider PortSwigger File Upload lab for this example.
Problem Statement
To solve the lab, upload a basic PHP web shell, then use it to ex-filtrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner. You can log in to your own account using the following credentials: wiener - peter
Solution
First access the lab from the given link
Then login with the credentials provided in the problem statement
wiener - peter
Now before we begin configure the burp proxy to intercept the proxy in the background. After that download a sample image from the internet
Upload the image. The request will be intercepted in the background. In Burp, go to Proxy > HTTP history. Click the filter bar to open the Filter settings dialog. Under Filter by MIME type, enable the Images checkbox, then apply your changes(highlighted in red)
Then open the GET request that is use to access the image.
Send this request to repeater(Tab 1) Creating a php file will extract the secret of user carlos
Try to upload the php file
As per the response we can see that the php extension is blacklisted and only JPG & PNG file extensions are allowed. Navigate back to the history tab and open the POST request that was used to upload the php file
Send this request to repeater(Tab 2) Now in the repeater open the Tab 2. Change the extension to
Then send the request.
Got a 200 OK response this means that the extension was obfuscated and file was uploaded successfully. Now open the Tab 1, edit the GET request to load the exploit file
Successfully access the file and secret of user carlos
gx7MkFlexgpD6730NkPBxTwEfTRN7YK4
Submit the key to the solution
Lab is solved 😎
Last updated
