FILE UPLOAD ATTACKS - Type Filters

Glad you got it man!
did you get that “oh duh, now i remember and that makes sense” feeling like i get adter struggling and making things harder on myself when actually they are a lot eaier than i’m making them.
either way the important thing is not giving up and keep moving forward.
Also don’t try to rush through it, several times i made that mistake and had to go back through them.

I solved the exercise by changing the “Content-Type:” and adding the same MIME “GIF8” as indicated by the HTB Academy module. After that I used the word list generated by the bash script from the previous section “Whitelist Filters” where I added ‘.phar’ and ‘.phtml’ in the script:

With Burp (Intruder) you will find several correct options.

2 Likes

Hi Ezio thanks for the tip!
I was also getting the error message that there was something wrong with my image:
the image “SNIP/shell.jpg.PhP” cannot be displayed because it contains errors.

Is there someone who can explain to me why this errors comes up? I still dont quite understand the logic behind it and I would like to know why.

did you try mime?

Get the shell uploaded but cant get to the directory by cd … to get the flag. Any Idea ?

*Solved
The phpbash is not working for this one. I now used the shell from the section. That worked :slight_smile:

1 Like

http://xxx.xx.xxx.xxx:xxxxx/profile_images/shell.png.phar?cmd=id
You sholuld add extension .png.phar when fuzzing , Because .phar can execute on server back-end

I’m stuck too

1 Like

find / -type f -name flag.txt -exec cat flag.txt {} ; 2>/dev/null
for read the flag.txt

2 Likes

If someone have a problem solving the lab feel free to visit my github repository (GitHub - GaboLC98/File-upload-vulnerability-abuse) where I’m writing a tool that help to abuse the file upload vulnerability.
After use it, be sure to understad what was your mistake. The payloads are shown to the user

1 Like

You specified a GIF but named it a png file.

You uploaded the shell to the server that means you were able to bypass both blacklist and whitelist filters. Now if you refer the Whitelist Filters section on the academy there was an example which explained how server determines which files to allow PHP code execution. In that example any file that contained .php, .phar, .phtm extensions were allowed PHP code execution.

However maybe the scenario of this exercise is a bit different, maybe here the position matters and server is not allowing PHP code execution of files that JUST contain the above mentioned extensions.