On this page
Web Shell Upload via Path Traversal
Lab
Web shell upload via path traversal · Apprentice
Solution
Given
This lab contains a vulnerable image upload function. The server is configured
to prevent execution of user-supplied files, but this restriction can be
bypassed by exploiting a secondary vulnerability.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the
contents of the file /home/carlos/secret. Submit this secret using the button
provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
Analysis and recon
Same idea as the previous lab. This time we need path traversal techniques to push the file into a directory where our shell will actually execute.
Upload a file via the site. Uploaded — open it, and it just shows up as plain text.
Okay, let's try uploading one level up:
Content-Disposition: form-data; name="avatar"; filename="../shell.php"
Server says it went to the previous location anyway. Right, let's try encoding:
Content-Disposition: form-data; name="avatar"; filename="%2e%2e%2fshell.php"
The file avatars/../shell.php has been uploaded
Worked!
FU2yHUj75eKOuqf4Zp5L9CLf6N96aTDH
Lab solved!
More in this category
Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)
.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.
Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)
Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.
Remote Code Execution via Web Shell Upload (PortSwigger Lab)
Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.