From e21a1358a5550df5fe9a11975f51ec09cee78740 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Fri, 3 Dec 2021 16:57:38 +0500
Subject: [PATCH] Add files via upload

---
 Portswigger/File Upload/Lab2.md | 36 +++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 Portswigger/File Upload/Lab2.md

diff --git a/Portswigger/File Upload/Lab2.md b/Portswigger/File Upload/Lab2.md
new file mode 100644
index 0000000..2cf98b0
--- /dev/null
+++ b/Portswigger/File Upload/Lab2.md	
@@ -0,0 +1,36 @@
+# Portswigger File Upload - Lab 2
+## Web shell upload via Content-Type restriction bypass
+
+<img src="https://i.imgur.com/yn1xska.png"/>
+
+We have user name and password through which we can login 
+
+<img src="https://i.imgur.com/QbLlY39.png"/>
+
+<img src="https://i.imgur.com/NhjUhxM.png"/>
+
+This user has option to update his email and to upload avatar , so let's try to upload a php file which will read the contents of `/home/carlos/secret`
+
+So our php file will look like this 
+
+```php
+<?php echo file_get_contents('/home/carlos/secret'); ?> 
+```
+
+<img src="https://i.imgur.com/lGxMtsZ.png"/>
+
+But on uploading this , it will show an error that only jpeg and png file are allowed
+
+<img src="https://i.imgur.com/N4YvMrW.png"/>
+
+Using `burp suite` we can capture the request while uploading the file and sent it to `repeater` to make changes in `Contet-Type` header by setting it to `image/jpeg`
+
+<img src="https://i.imgur.com/BG4LZA7.png"/>
+
+Now by going to any post and looking at the source to see from where our avatar is being loaded we can follow that to execute the php file we uploaded
+
+<img src="https://i.imgur.com/AXMA2oe.png"/>
+
+And this will execute the php code to read contents from `secret` file , submit this and you'll complete this lab
+
+<img src="https://i.imgur.com/qGupMrx.png"/>
\ No newline at end of file