[Solution]Web shell upload via extension blacklist bypass

To solve the lab we have to upload php file to view /home/carlos/secret

Approach to solve

Description: In this lab we have to upload a php file but .php extension is blacklisted. So, we have to make changes in .htaccess file to upload our php

The php file we’ll be using is aa.php it contains

Trying to upload a php file

As we try to upload file with .php extension we get an error that php files are not allowed.

Intercepting the request

Now try to intercept the request in BurpSuite and send it to repeater as we have to make changes on same request again and again

Making .htaccess file to execute php

As file aa.php is not allowed. So the basic logic that we will use here to bypass is by making changes in .htaccess(use to change the configuration of website) and giving some random extension to the file lets say .xyz and when it get uploaded it is treated as .php.

To edit .htaccess file change file name to .htaccess from aa.php and change content type to text/plain as it is the most common use MIME content type.

And then change the content to AddType application/x-httpd-php .xyz with this now the server will treat .xyz extension as .php

Send the request and you’ll get 200 OK response that the file .htaccess has been uploaded.

As we have now configured server to treat .xyz as php so now in change filename to aa.xyz and file contents to

<?php echo file_get_contents('/home/carlos/secret'); ?>

This will display the contents of file secret.

Now send the request you will get at 200 OK response that aa.xyz is uploaded.

Opening the image file to execute code

Go back and open the image. This can be done by finding the address from the image is being served through inspect element.

Easy way is to just open it in new tab!

Got the flag and submit it.

Leave a Reply

Your email address will not be published.