Lab: Web Shell upload via Content-Type Restriction By-Pass

-

This lab demonstrates the website's lack of proper checks on the file type of the upload and the flaws that arise from implicitly trusting the MIME Type / Content-Type header.

I start the lab by loading up the website and logging in with provided credentials 'wiener:peter' and found a similar set to the previous lab I did for File Upload Vulnerabilities:

 

I tried uploading my basic web shell script for php which I made previously:

I found that there was a restriction on the content type:

So I try again while intercepting the requests and replace the 'Content-Type' header from 'application/x-php' with 'image/png':

And that lets the upload of my web shell go through easily:

Then I reload the account page and capture the request for avatar from the page to server:

I send the request to Repeater for playing around and navigated to the root directory:

From there I replaced my command to `cat` and navigated to the target file in `/home/carlos/`:

And that led me to the requested secret which I submitted to complete the challenge.

Comments

Post a Comment

Popular posts from this blog

Malware Analysis Report: Sample SmokeScreen

-
Image
Basic Facts Components -         PASTA_MENTOR_PROMO_DEAL_agreement.docx.scr       (Initial Stage) [Program1.exe]      sha256 8d204db953fd7d637f8718f56fbecfbf93ebcc8e7402ce71d5c52b01689777a2       Program1.main.exe        (Second Stage) [Runs under InstallUtil.exe]      sha256 c7ce154d0ab5aec517829623f7b3b30a4e0ea6dc981fdf13134a8f263a062a9a   Malware Type: Injector/Info-Stealer  Windows PE | C# (stage 1) | Nim (stage 2)   --*--*--
Read more

[TryHackMe] BrainPan 1

-
Image
So I was selected in one of the teams Sheridan is sending for cybersci and that meant I gotta prepare myself for the challenge, and what better way to do it than try a hard lab (I should have started with something easier, but atleast the pain was a learning experience). This is my writeup for BrainPan 1, or as I like to call it Brain Pain.
Read more