Showing 36 Result(s)

Portswigger: Exploiting XXE via image file upload Writeup

Lab link. This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files. To solve the lab, upload an image that displays the contents of the /etc/hostname file after processing. Then use the “Submit solution” button to submit the value of the server hostname. In some systems, we need …

Writeup: Web shell upload via obfuscated file extension

Lab link. If the application has taken precautions for the file extension, there are several ways to bypass this precaution. In this lab, we use the null byte method to bypass the file extension blocking. In Requesat’s response, we see that our file was uploaded correctly. In the GET /files/avatars/ we correct our file name …

Writeup: Web shell upload via extension blacklist bypass

Lab link. The application has used a blacklist for security, but if we upload the .htaccess file, we can allow any file extension we want on the server. The file with the .php extension does not work. We make changes to the POST /my-account/avatar request. Now we can upload files with .l33t extension. We change …

Writeup: Web shell upload via path traversal

Lab link. In some systems, there may be more than one vulnerability, or we may continue with a different vulnerability in the continuation of one vulnerability. In this lab, we can upload files thanks to path traversal. In the lab, we are asked to access the file /home/carlos/secret. We create a php file to access …

Writeup: Blind SSRF with out-of-band detection

Lab link. Blind SSRF occurs when an application can be encouraged to send a back-end HTTP request to a given URL, but the response from the back-end request is not returned in the application’s front-end response. Using Burp Collaborator we can create unique domains and send them as payloads to the application. We can monitor …