- Log in and upload an image as your avatar, then go back to your account page.
-
In Burp, go to Proxy > HTTP history and notice that your image was fetched using a
GETrequest to/files/avatars/<YOUR-IMAGE>. Send this request to Burp Repeater. -
On your system, create a file called
exploit.php, containing a script for fetching the contents of Carlos's secret. For example:<?php echo file_get_contents('/home/carlos/secret'); ?> -
Attempt to upload this script as your avatar. The response indicates that you are only allowed to upload files with the MIME type
image/jpegorimage/png. -
In Burp, go back to the proxy history and find the
POST /my-account/avatarrequest that was used to submit the file upload. Send this to Burp Repeater. -
In Burp Repeater, go to the tab containing the
POST /my-account/avatarrequest. In the part of the message body related to your file, change the specifiedContent-Typetoimage/jpeg. - Send the request. Observe that the response indicates that your file was successfully uploaded.
-
Switch to the other Repeater tab containing the
GET /files/avatars/<YOUR-IMAGE>request. In the path, replace the name of your image file withexploit.phpand send the request. Observe that Carlos's secret was returned in the response. - Submit the secret to solve the lab.
Lab: Web shell upload via Content-Type restriction bypass
This lab contains a vulnerable image upload function. It attempts to prevent users from uploading unexpected file types, but relies on checking user-controllable input to verify this.
To solve the lab, upload a basic PHP web shell and use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.
You can log in to your own account using the following credentials: wiener:peter
