Web shell upload via extension blacklist bypass

This lab contains a vulnerable image upload function. Certain file extensions are blacklisted, but this defense can be bypassed due to a fundamental flaw in the configuration of this blacklist.

After logging in and setting an image as my avatar, I revisited my account page. Leveraging Burp, I navigated to Proxy > HTTP history and identified that the image retrieval occurs through a GET request to /files/avatars/<YOUR-IMAGE>. I then directed this request to Burp Repeater for further analysis.

Attempting to upload a PHP script named exploit.php, designed to fetch Carlos's secret, was met with resistance, as the server didn't allow files with a .php extension. Delving into Burp's proxy history, I located the POST /my-account/avatar request and discovered it was interacting with an Apache server, which informed my subsequent steps. Sending this request to Burp Repeater, I modified the filename parameter to .htaccess, altered the Content-Type to text/plain, and updated the file content to include an Apache directive: AddType application/x-httpd-php .ichyaboy. This association maps the .ichyaboy extension to the executable MIME type application/x-httpd-php, exploiting the server's mod_php module.

Upon sending the modified request, I successfully uploaded the .htaccess file. Returning to the original PHP exploit request, I changed the filename parameter from exploit.php to exploit.ichyaboy, and the file was uploaded without issues. Moving to the Repeater tab containing the GET /files/avatars/<YOUR-IMAGE> request, I replaced the image filename with exploit.ichyaboy. The server executed the .ichyaboy file as if it were a .php file, revealing Carlos's secret in the response.

To conclude, I submitted the secret, completing the lab successfully.