Skip to main content

🗂️PortSwigger Lab Writeup: Web Shell Upload via Path Traversal

PortSwigger lab banner: Web shell upload via path traversal

🎯 Objective

The objective of this lab is to exploit a file upload vulnerability where the app has a vulnerable image upload function which relies on filename for storing them as well as server is configured to prevent execution of user-supplied files in avatar directory. The goal is to upload a basic web shell and exfiltrate the contents of file /home/carlos/secret

  • Lab URL: https://portswigger.net/web-security/file-upload/lab-file-upload-web-shell-upload-via-path-traversal
  • Category: File Upload
  • Difficulty: Practitioner

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • Firstly open the lab URL in your browser, and observe what it is about and how it works. Blogging website homepage displaying blog posts and navigation menu
    Login page interface with username and password fields
  • At first glance, the website seems to be a blogging website with a login page. In the lab description, it is mentioned that we need to exfiltrate the secret of carlos.

📝Step 2: Upload the payload

  • First login with the given credentials - wiener:peter to access file upload function. Login page with wiener credentials
  • Now, we can see the file upload function where we can upload an avatar of the user. User profile page with file upload form for avatar image
  • Make basic php web shell named payload.php with the given code: 
    <?php echo file_get_contents('/home/carlos/secret'); ?>
  • Now, Upload this payload. File upload dialog showing payload.php file selected for upload
  • You will notice that the payload uploaded successfully but it will not execute because server is configured to prevent execution of user-supplied files in avatar directory.
  • Therefore, we will change the uploading location of our payload so that it can execute.
  • Now, Open the HTTP History in Burpsuite and send the POST /my-account/avatar request to Repeater tab. Burp Suite HTTP history showing POST request with Content-Type header
  • Change the value of filename header from payload.php to ../payload.php and sent the request. Burp Repeater showing filename parameter modified with path traversal payload
  • Hence, our payload uploaded but not in our preferred directory.
  • Therefore again send the request by URL encoding the ../ traversal characters. Burp Repeater with URL-encoded path traversal sequence for bypassing restrictions
  • Hence, our web shell is successfully uploaded to the server.

🧑‍💼Step 3: Access the Secret

  • Open the uploaded web shell at /files/payload.php Web shell executing at traversed directory displaying carlos secret file content
  • Hence, our web shell executed successfully and returned the secret of carlos.
  • Now, Copy and submit it to complete the lab. Lab solved confirmation message after submitting the correct secret
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab demonstrated how path traversal in filename parameters allows bypassing upload directory restrictions. By URL-encoding ../ sequences in the filename, we escaped the restricted avatar directory and uploaded executable code.
  • The impact is critical — attackers can upload malicious files to executable directories and achieve remote code execution.
  • Fix: validate and sanitize filenames, reject path traversal sequences (../ and ..), use allowlists for allowed directories, and store uploads with randomized names in non-executable locations.