Create Lab1.md

2024-11-21 19:43:03 +00:00 · 2021-12-03 16:10:35 +05:00 · 2021-12-03 16:10:35 +05:00 · 3573719d81
commit 3573719d81
parent 8471c4a923
1 changed files with 29 additions and 0 deletions
--- a/Portswigger/File
+++ b/Portswigger/File
@ -0,0 +1,29 @@
+# Portswigger File Upload - Lab 1
+## Remote code execution via web shell upload
+In this lab we have to upload a php file which can read contents from a file callled `secret`. We are given the credentials through that we can login to an account which can update his email address and can change his avatar , so this where file upload vulnerability can occur 
+
+<img src="https://i.imgur.com/BzpTHOg.png"/>
+
+Here we have an option `Myaccount` ,so login with `wiener:peter`
+
+<img src="https://i.imgur.com/EGrBILk.png"/>
+
+<img src="https://i.imgur.com/EdIDoA0.png"/>
+
+We can upload the image file from here , so let's make a php file which will read the contents from `/home/carlos/secret` , I tried to upload a php web shell which could execute any commands but functions like `system` , `passthru` , `shell_exec` are blocked 
+
+```php
+<?php echo file_get_contents('/home/carlos/secret'); ?> 
+```
+
+So by using `file_get_contents` to read file we can retrieve the file that is required in order to complete the lab
+
+<img src="https://i.imgur.com/VqHovHH.png"/>
+
+Visit any post , and you'll get the option to comment on it , look into the source code , you'll see the url from your avatar is being fetched from
+
+<img src="https://i.imgur.com/IsohzgU.png"/>
+
+<img src="https://i.imgur.com/Ih70UCZ.png"/>
+
+Then just submit this string to complete the lab