Remote code execution via web shell upload
This is a writeup for a challenge from PortSwigger's Web Security Academy. In this one, we will learn how a Remote Code Execution vulnerability can be identified and exploited and what an attacker can gain from it.
This lab contains a vulnerable image upload function. It doesn't perform any validation on the files users upload before storing them on the server's filesystem.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file
/home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials:
> Solving the challenge
We got the website, let's log in with
wiener:peter as credentials:
Here we can find a file upload feature:
The server seems to expect any type of file, and not just images. As the objective says, let's try to upload some PHP code. I would like to spawn a web shell there, and my PHP web shell of choice is p0wny.
We can upload it via the avatar upload form:
Now we can navigate to the
/files/avatars/p0wny.php to spawn a shell:
Apparently, they don't want you to run any type of shell, so I couldn't make it work properly (which is weird, as the title clearly says "Remote code execution via web shell upload"). Same with a more classic reverse shell.
What a shame. Anyway, our goal is to read the flag.
We can create a lame PHP document with something like, as we know what exactly we should read:
<?php echo file_get_contents('/home/carlos/secret'); ?>
lame.php, and call it as we did with a shell.
Submit the secret to solve the lab: