byp4ss3d

Here we face file upload vulnerability and by inspecting the website code it seems to be that the server-side that do the check no I have tried some file extensions and I have tried adding magic numbers to the start of the file but didn’t work so I think the server uses a black list because the extension .jpg.php5 worked and .jpg.php didn’t.

So now let’s see what we can do with this. First I tried a simple shell code in php because the website is powered by php but it didn’t work because after accessing the file in the /images it only prints the contents of the file.

So Now we need another way I took a look at the hints and it said to use .htaccess file to execute php files and also helps us bypass the extension filter so let’s try it.

First let’s see how to write a .htaccess file.

.htaccess (Hypertext Access) is a configuration file for Apache web servers that allows directory-level configuration changes without modifying the main server configuration.

And we add this line AddType application/x-httpd-php .jpg to it to override content type of .jpg to be treated like a php file (to be executed).

So our plan will be to upload the .htaccess file then upload a shell.jpg file that contains the code to start the shell.

1
2
3

echo "AddType application/x-httpd-php .jpg" > .htaccess

echo '<?php system($_GET["cmd"]); ?>' > shell.jpg

Now we have our two files let’s upload them.

Let’s access shell.jpg file.

Let’s now find where is the flag. After some searching the find command was not available but let’s think here we are in /var/www/html/images

let’s traverse backward until we find the flag

here we found the flag just we need to read it and submit it.