Portswigger File Upload — Lab 2

In this lab we have to upload the php file to read contents from /home/carlos/secret but we can’t directly just upload the php file as it only allows jpeg and png image file , so we can bypass this by changing the Content-Type header.

Web shell upload via Content-Type restriction bypass

We have user name and password through which we can login

This user has option to update his email and to upload avatar , so let’s try to upload a php file which will read the contents of /home/carlos/secret

So our php file will look like this

<?php echo file_get_contents('/home/carlos/secret'); ?>

But on uploading this , it will show an error that only jpeg and png file are allowed

Using burp suite we can capture the request while uploading the file and sent it to repeater to make changes in Contet-Type header by setting it to image/jpeg

Now by going to any post and looking at the source to see from where our avatar is being loaded we can follow that to execute the php file we uploaded

And this will execute the php code to read contents from secret file , submit this and you'll complete this lab

Pentester | CTF Player