Lab: Remote Code Execution with a Web Shell

This Lab shows the flawed file upload methods present on some sites where they do not check for if the file being uploaded is the correct file type and not some malicious script.

I started the lab by loading the website and logging in using the provided credentials 'wiener:peter' and went to the 'My Account' page to find the image upload option:

I then make a basic webshell with php to be uploaded to this website:

This will respond with the output of the command wrapped in a `<pre>` tag in html so I can see the output on the website using a request query parameter called `cmd` which I can set using burpsuite.

I upload the script and it goes through without issues and then I intercept requests as the website loads the accounts page again as it tries to load the php script for the avatar:

I send this request to repeater to play around and try a simple `ls -al` to see if the script worked:

I then navigate to the root directory to get the path for it from the current working directory:

Arriving at the root directory I can now just append the path for my target at the end of the command path and replace `ls -al` with `cat`:

And with that I had the contents of the secret file of my target carlos.