Skip to main content

🗂️PortSwigger Lab Writeup: Web Shell Upload via Extension Blacklist Bypass

PortSwigger lab banner: Web shell upload via extension blacklist bypass

🎯 Objective

The objective of this lab is to exploit a file upload vulnerability where the app has a vulnerable image upload function which can be bypassed by overwriting .htaccess file. The goal is to upload a basic web shell and exfiltrate the contents of file /home/carlos/secret

  • Lab URL: https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-extension-blacklist-bypass
  • Category: File Upload
  • Difficulty: Practitioner

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Blogging website homepage displaying blog posts and navigation menu
    Login page interface with username and password fields
  • At first glance, the website seems to be a blogging website with a login page. In the lab description, it is mentioned that we need to exfiltrate the secret of carlos.

📝Step 2: Upload the payload

  • First login with the given credentials - wiener:peter to access file upload function. Login page with wiener credentials
  • Now, we can see the file upload function where we can upload an avatar of the user. User profile page with file upload form for avatar image
  • Make basic php web shell named payload.php with the given code: 
    <?php echo file_get_contents('/home/carlos/secret'); ?>
  • Now, Upload this payload. File upload dialog showing payload.php file selected for upload
  • You will notice that the request was rejected as php files are not allowed to upload. Upload rejection message showing .php extension is blacklisted
  • Therefore, we will try to bypass this by overwriting .htaccess file and adding a mapping to our custom extension for execution of php files.
  • Now, Open the HTTP History in Burpsuite and send the POST /my-account/avatar request to Repeater tab. Burp Suite HTTP history showing POST request with Content-Type header
  • Change the value of filename header from payload.php to .htaccess and Content-type header from application/x-php to text/plain.
  • Also change the payload content to AddType application/x-httpd-php .133t and send the request. Burp Repeater uploading .htaccess file with custom extension mapping for PHP execution
  • Hence, we successfully uploaded our custom made .htaccess file.
  • Now, again send the original POST /my-account/avatar request by changing filename from payload.php to payload.133t Burp Repeater uploading web shell with custom .133t extension to bypass blacklist
  • Hence, our web shell is successfully uploaded to the server.

🧑‍💼Step 3: Access the Secret

  • Open the uploaded web shell at /files/avatars/payload.133t Web shell executing via custom extension and displaying carlos secret file content
  • Hence, our web shell executed successfully and returned the secret of carlos.
  • Now, Copy and submit it to complete the lab. Lab solved confirmation message after submitting the correct secret
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab demonstrated how extension blacklists can be bypassed by uploading .htaccess files to reconfigure server behavior. By mapping custom extensions to PHP handlers via Apache configuration, we executed code despite the .php blacklist.
  • The impact is critical — attackers can manipulate server configuration files to execute arbitrary code with custom or unexpected extensions.
  • Fix: use allowlists for permitted extensions, prevent upload of sensitive files (.htaccess, .conf), disable ability to upload files outside restricted directories, and validate against server-level handlers.