HTACCESS
Log in and upload an image as your avatar, then go back to your account page.
In Burp, go to Proxy > HTTP history and notice that your image was fetched using a
GETrequest to/files/avatars/<YOUR-IMAGE>. Send this request to Burp Repeater.On your system, create a file called
exploit.phpcontaining a script for fetching the contents of Carlos's secret. For example:<?php echo file_get_contents('/home/carlos/secret'); ?>Attempt to upload this script as your avatar. The response indicates that you are not allowed to upload files with a
.phpextension.
In Burp's proxy history, find the
POST /my-account/avatarrequest that was used to submit the file upload. In the response, notice that the headers reveal that you're talking to an Apache server. Send this request to Burp Repeater.In Burp Repeater, go to the tab for the
POST /my-account/avatarrequest and find the part of the body that relates to your PHP file. Make the following changes:Change the value of the
filenameparameter to.htaccess.Change the value of the
Content-Typeheader totext/plain.Replace the contents of the file (your PHP payload) with the following Apache directive:
AddType application/x-httpd-php .shell
This maps an arbitrary extension (
.shell) to the executable MIME typeapplication/x-httpd-php. As the server uses themod_phpmodule, it knows how to handle this already.
Send the request and observe that the file was successfully uploaded.
Use the back arrow in Burp Repeater to return to the original request for uploading your PHP exploit.
Change the value of the
filenameparameter fromshell.phptoshell.shell. Send the request again and notice that the file was uploaded successfully.
Switch to the other Repeater tab containing the
GET /files/avatars/<YOUR-IMAGE>request. In the path, replace the name of your image file withshell.shelland send the request. Observe that Carlos's secret was returned in the response. Thanks to our malicious.htaccessfile, the.shellfile was executed as if it were a.phpfile.Submit the secret to solve the lab.
Last updated