![apt | [Solution]Web shell upload via extension blacklist bypass](https://apttutorials.com/wp-content/uploads/2021/10/cropped-cropped-cropped-logo2-1-1-1.png "apt | [Solution]Web shell upload via extension blacklist bypass"){kind=logo}
![apt | [Solution]Web shell upload via extension blacklist bypass](https://apttutorials.com/wp-content/uploads/2022/01/freelancer-g4950f9695_1280-1.jpg "apt | [Solution]Web shell upload via extension blacklist bypass")
To solve the lab we have to upload php file to view /home/carlos/secret
Approach to solve
![apt | [Solution]Web shell upload via extension blacklist bypass](http://app.apttutorials.com/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-01-00-1.png "apt | [Solution]Web shell upload via extension blacklist bypass")
Description: In this lab we have to upload a php file but .php extension is blacklisted. So, we have to make changes in .htaccess file to upload our php
The php file we’ll be using is aa.php it contains
![apt | [Solution]Web shell upload via extension blacklist bypass](http://app.apttutorials.com/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-04-10-1.png "apt | [Solution]Web shell upload via extension blacklist bypass")
Trying to upload a php file
As we try to upload file with .php extension we get an error that php files are not allowed.
![apt | [Solution]Web shell upload via extension blacklist bypass](http://161.35.74.22/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-03-52-1024x180.png "apt | [Solution]Web shell upload via extension blacklist bypass")
![apt | [Solution]Web shell upload via extension blacklist bypass](http://161.35.74.22/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-04-29-1024x169.png "apt | [Solution]Web shell upload via extension blacklist bypass")
Intercepting the request
Now try to intercept the request in BurpSuite and send it to repeater as we have to make changes on same request again and again
![apt | [Solution]Web shell upload via extension blacklist bypass](http://app.apttutorials.com/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-06-06-1.png "apt | [Solution]Web shell upload via extension blacklist bypass")
Making .htaccess file to execute php
As file aa.php is not allowed. So the basic logic that we will use here to bypass is by making changes in .htaccess(use to change the configuration of website) and giving some random extension to the file lets say .xyz and when it get uploaded it is treated as .php.
To edit .htaccess file change file name to .htaccess from aa.php and change content type to text/plain as it is the most common use MIME content type.
![apt | [Solution]Web shell upload via extension blacklist bypass](http://app.apttutorials.com/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-08-48-1.png "apt | [Solution]Web shell upload via extension blacklist bypass")
![apt | [Solution]Web shell upload via extension blacklist bypass](http://app.apttutorials.com/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-10-52-1.png "apt | [Solution]Web shell upload via extension blacklist bypass")
And then change the content to AddType application/x-httpd-php .xyz with this now the server will treat .xyz extension as .php
![apt | [Solution]Web shell upload via extension blacklist bypass](http://app.apttutorials.com/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-11-17-1.png "apt | [Solution]Web shell upload via extension blacklist bypass")
Send the request and you’ll get 200 OK response that the file .htaccess has been uploaded.
![apt | [Solution]Web shell upload via extension blacklist bypass](http://app.apttutorials.com/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-11-32-1.png "apt | [Solution]Web shell upload via extension blacklist bypass")
As we have now configured server to treat .xyz as php so now in change filename to aa.xyz and file contents to
<?php echo file_get_contents('/home/carlos/secret'); ?> This will display the contents of file secret.
![apt | [Solution]Web shell upload via extension blacklist bypass](http://app.apttutorials.com/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-06-34-1.png "apt | [Solution]Web shell upload via extension blacklist bypass")
![apt | [Solution]Web shell upload via extension blacklist bypass](http://app.apttutorials.com/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-13-16-1.png "apt | [Solution]Web shell upload via extension blacklist bypass")
Now send the request you will get at 200 OK response that aa.xyz is uploaded.
![apt | [Solution]Web shell upload via extension blacklist bypass](http://app.apttutorials.com/wp-content/uploads/2022/01/image-9.png "apt | [Solution]Web shell upload via extension blacklist bypass")
Opening the image file to execute code
Go back and open the image. This can be done by finding the address from the image is being served through inspect element.
![apt | [Solution]Web shell upload via extension blacklist bypass](http://app.apttutorials.com/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-14-07-1.png "apt | [Solution]Web shell upload via extension blacklist bypass")
Easy way is to just open it in new tab!
![apt | [Solution]Web shell upload via extension blacklist bypass](http://161.35.74.22/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-13-49-1024x576.png "apt | [Solution]Web shell upload via extension blacklist bypass")
![apt | [Solution]Web shell upload via extension blacklist bypass](http://app.apttutorials.com/wp-content/uploads/2022/01/Screenshot-from-2022-01-15-08-14-57-1-1.png "apt | [Solution]Web shell upload via extension blacklist bypass")
Got the flag and submit it.