Welcome back to the Methodology Walkthrough at the Cybersec Cafe. Today, we’ll be looking at something fresh - a file upload vulnerability.

Objective

Upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret

What We Know

We will need to upload two different files to solve this lab.

What is a File Upload Vulnerability?

A file upload vulnerability occurs when an application allows users to upload files without properly validating or restricting the file types and content. Attackers can exploit this flaw by uploading malicious files, such as scripts or executables, which can lead to unauthorized code execution or compromise of the server.

Methodology

The Recon

We’re met with a standard blog application - one that we’ve seen many times while attacking labs in this series.

But, what’s different this time around?

In the blog post comment section, we have the ability to upload a user avatar with our comment.

Let’s go ahead and upload an image and send a test comment to capture.

Now, let’s go ahead and login to our test account.

We can see we’re met with a familiar email update feature, but also with an Avatar upload feature.

Let’s also submit a file to upload our avatar here to capture the request.

Make sure the image size is small enough, otherwise the application will error out. Our goal is to capture the request and be met with a success message that the file has been uploaded.

Now, navigate to your Burp instance and find both the GET and POST request under my-account/avatar. Send both requests to the Repeater.

- Today’s Sponsor -

Prepare for a career in Cybersecurity, one sip at a time with The Security Sip. Learn a new cybersecurity topic each day in an order that encourages learning and prepares you to be a cybersecurity professional. Free and Paid Plans Available!

Check it out

Testing

Now, open up your CMD line and create a file called exploit.php.

You can run the command touch exploit.php to create the file, then nano exploit.php to edit it. Or, use a text editor of your choice.

Add the following PHP paylod to your exploit file:

<?php echo file_get_contents(‘/home/carlos/secret’); ?>

This file will find the contents of our secret file and print the out using the echo command.

Let’s try to upload it.

Oh no… there is an error uploading the file. It loks like the application blocks uploading of PHP files.

There must be reasoning to this…

Let’s take a look at the POST request used to upload the file for clues. Specifically, the Response:

We can see we’re communicating with an Apache server, which has some protections in place to block this filetype.

There may be something here…

Exploitation

Upload the PHP file again, but this time, intercept the request instead of forwarding it, send it to the Repeater.

Make the following changes:

• Change the filename parameter to .htaccess

• Chang the Content-Type to text/plain

• Replace the contents of the file with the following Apache directive: AddType application/x-httpd-php .cybersec

  • This will map an arbitrary extension (.cybersec in this case) to the executable MIME type application/x-httpd-php

Go ahead and send this, and see that we’re met with a 200 response - verifying the file has been uploaded successfully.

Now, use the back arrow in Repeater to change back to the original request for uploading your PHP exploit.

Now, change our filename to exploit.cybersec (or, whatever arbitrary extension you created).

We can see the file was now uploaded successfully!

Now navigate back to your account in the GUI and refresh the page. This will trigger the retrieval of our new exploit avatar file.

Navigate over to your HTTP History under the Burp Proxy tab, and you can see the GET request used to retrieve the image:

Inside, we can see we retrieved the secret string. Take this and submit it to solve the lab!

What We’ve Learned

File uploads are potentially dangerous features in web applications. If proper protections are not in place to filter out malicious types, attackers can potentially compromise your users or your entire application. Use a service you trust when building web apps to handle file uploads.

Want to give the lab a try yourself? You can check it out on PortSwigger’s website here.

Securely Yours,

The Cybersec Cafe

Just a heads up, The Cybersec Cafe's got a pretty cool weekly cadence.

Every week, expect to dive into the hacker’s mindset in our Methodology Walkthroughs or explore Deep Dive articles on various cybersecurity topics.

. . .

Oh, and if you want even more content and updates, hop over to Ryan G. Cox on Twitter/X or my Website. Can't wait to keep sharing and learning together!