To solve the lab we have to upload php file to view
Approach to solve
Description: In this lab we have to upload a php file but .php extension is blacklisted. So, we have to make changes in .htaccess file to upload our php
The php file we’ll be using is aa.php it contains
Trying to upload a php file
As we try to upload file with .php extension we get an error that php files are not allowed.
Intercepting the request
Now try to intercept the request in BurpSuite and send it to repeater as we have to make changes on same request again and again
Making .htaccess file to execute php
As file aa.php is not allowed. So the basic logic that we will use here to bypass is by making changes in .htaccess(use to change the configuration of website) and giving some random extension to the file lets say .xyz and when it get uploaded it is treated as .php.
To edit .htaccess file change file name to .htaccess from aa.php and change content type to text/plain as it is the most common use MIME content type.
And then change the content to AddType application/x-httpd-php .xyz with this now the server will treat .xyz extension as .php
Send the request and you’ll get 200 OK response that the file .htaccess has been uploaded.
As we have now configured server to treat .xyz as php so now in change filename to aa.xyz and file contents to
<?php echo file_get_contents('/home/carlos/secret'); ?>
This will display the contents of file secret.
Now send the request you will get at 200 OK response that aa.xyz is uploaded.
Opening the image file to execute code
Go back and open the image. This can be done by finding the address from the image is being served through inspect element.
Easy way is to just open it in new tab!
Got the flag and submit it.
2 thoughts on “[Solution]Web shell upload via extension blacklist bypass”
I’ve down all the steps and successfully uploaded the shell file, but it does not show the secret keys because it download my shell and does not run it
what can i do?
you’ve to then view that image in new tab to view seceret key