📄️ Lab 1 - Remote Code Execution via Web Shell Upload
Step-by-step PortSwigger lab walkthrough demonstrating file upload vulnerability to achieve remote code execution. Learn to bypass upload restrictions and execute arbitrary PHP code via web shell upload.
📄️ Lab 2 - Web Shell Upload via Content-Type Restriction Bypass
Step-by-step PortSwigger lab walkthrough demonstrating how to bypass Content-Type file validation. Learn to exploit MIME type checking vulnerabilities to upload and execute malicious PHP files.
📄️ Lab 3 - Web Shell Upload via Path Traversal
Step-by-step PortSwigger lab walkthrough showing how to bypass upload directory restrictions using path traversal. Learn to exploit filename parameter validation to upload PHP files outside restricted directories.
📄️ Lab 4 - Web Shell Upload via Extension Blacklist Bypass
Step-by-step PortSwigger lab walkthrough demonstrating how to bypass extension blacklists using .htaccess manipulation. Learn to execute PHP code via custom file extensions by uploading Apache configuration files.
📄️ Lab 5 - Web Shell Upload via Obfuscated File Extension
Step-by-step PortSwigger lab walkthrough demonstrating how to bypass file extension validation using null byte injection. Learn to exploit filename validation flaws with URL-encoded characters to upload executable PHP files.
📄️ Lab 6 - Remote Code Execution via Polyglot Web Shell Upload
Step-by-step guide to exploiting polyglot file uploads combining binary image data with PHP code. Learn how to bypass MIME type and magic byte validation using combined file formats to upload executable shells.
📄️ Lab 7 - Web Shell Upload via Race Condition
Expert-level PortSwigger lab exploiting race conditions in file upload validation. Demonstrates uploading executable PHP before server-side validation completes by sending parallel requests to execute the payload before it’s rejected.