This lab contains a vulnerable image upload function. Although it performs robust validation on uploaded files, it is possible to bypass this validation entirely by exploiting a race condition in the way the files are processed.
Upload a basic PHP web shell.
Use it to exfiltrate the contents of the file:
/home/carlos/secret
Submit this secret using the button provided in the lab banner.
You can log in to your own account using:
wiener:peter
The race condition is caused by the following vulnerable code:
<?php
$target_dir = "avatars/";
$target_file = $target_dir . $_FILES["avatar"]["name"];
// temporary move
move_uploaded_file($_FILES["avatar"]["tmp_name"], $target_file);
if (checkViruses($target_file) && checkFileType($target_file)) {
echo "The file ". htmlspecialchars($target_file). " has been uploaded.";
} else {
unlink($target_file);
echo "Sorry, there was an error uploading your file.";
http_response_code(403);
}
function checkViruses($fileName) {
// checking for viruses
...
}
function checkFileType($fileName) {
$imageFileType = strtolower(pathinfo($fileName,PATHINFO_EXTENSION));
if($imageFileType != "jpg" && $imageFileType != "png") {
echo "Sorry, only JPG & PNG files are allowed\\n";
return false;
} else {
return true;
}
}
?>
The file is first moved into the avatars/ directory before being checked. This allows a small window of time to exploit it.