Labs Covered
This write-up focuses on the following APPRENTICE-level labs from the PortSwigger Web Security Academy:
1 Remote code execution via web shell upload
This lab demonstrates how an attacker can upload a malicious web shell by bypassing insufficient file upload validation, resulting in remote code execution on the server.
2 Web shell upload via Content-Type restriction bypass
This lab shows how attackers can bypass file upload restrictions by manipulating the Content-Type header, allowing them to upload web shells and achieve remote code execution.
LAB 1 - Remote code execution via web shell upload
Lab Description :
Solution :
Click on any of the blog posts. We can see that we have an option to upload files.
Similarly login as wiener & we can see that there is an upload functionality here also.
After the image has been uploaded, open Burp Suite and go to the Proxy > HTTP History tab. This area logs all HTTP requests and responses that pass through the proxy. Look through the list and identify the POST request associated with your file upload.
Once located, analyze the structure of this POST request. Pay particular attention to the Content-Type header, which should reflect the file’s MIME type (e.g., image/png). Also, examine the request or server response for any indication of the upload directory—this is the location where the server stores uploaded files. Knowing this directory is important, as it can be useful in further stages of testing or exploitation.
Now sending request to repeater of the image above we uploaded
Now removing all the content of png and and changing file extension to .php we have then successfully upload file of php with the contents ` <?php echo file_get_contents(‘/home/carlos/file.php’); ?>`
The response indicates that the file upload of myexploit.php was successful.
Now getting the file we have uploaded give us secret.
Submit the value to solve the lab.
LAB 2 - Web shell upload via Content-Type restriction bypass
Lab Description :
Solution :
To begin with the lab, we need to first access it and log in using the provided credentials. Once logged in, enable Burp Suite’s proxy to capture and analyze the traffic between the browser and the server.
After enabling the proxy, upload any simple image file (e.g., sample.png) using the image upload function on the lab interface. Once the upload is complete, navigate to the Proxy > HTTP History tab in Burp Suite to review the captured requests.
In the HTTP history, you’ll notice two important requests:
- A POST request, which contains the actual upload of the
sample.pngfile to the server. - A GET request, which reveals the location or path of the uploaded image on the server.
These two requests are crucial for understanding how the application handles file uploads and will assist in identifying the web shell location in the case of a successful upload exploit.
We will send both of these requests to the repeater tab. We will name the post-based request “UploadImage” and the get-based request “ShowImage”
Firstly, I will modify the name filename = 'sample.png' to filename = 'myexploit.php'.
After that, I will remove all the raw data or image content present under the Content-Type section of the request body. This binary data represents the actual contents of the uploaded image and is not needed for our payload.
Once the raw data is removed, I will insert my PHP payload as shown below:
<?php echo file_get_contents('/home/carlos/secret'); ?>
This payload is crafted to read and display the contents of the /home/carlos/secret file, which is the main objective of the lab. Successfully uploading and executing this PHP file will confirm that the vulnerability has been exploited.
After submitting the request, I will simply switch to my second tab which is
ShowImage.
Send request and we will get secret
Submit the key to solve the lab.