The lab uses metasploitable.
This lab gives awareness of file upload vulnerability, there are three levels of security – low, medium and high, the objective is to try to upload a forward shell code then connect to it to gain the server access.
This is the php code of low security file upload:
From the php code it handles the file transfer after upload button is clicked, but there is no check on the type of file uploaded.
Generate shell webapp with weevely
weevely is a python script that generates a php file to open shell access to the target server.
Upload and gain shell access
After the file is successfully uploaded, gain a shell access with weevely.
This is the medium security code, which checks the size of the file and the content-type of the file which is image/jpeg, change the extension of the file from php to php.jpg the webapp will accept the upload.
At first I thought I cannot run the shell with weevely because jpg is appended, but weevely still works….
This is the php code in high security which checks the jpg extension:
But the same old trick used on medium security can be used on high security too.
So I copy shell.php.jpg to shell2.php.jpg and try to upload.
This is the result when i use the shell2.php.jpg with weevely:
Why prepended php extension can still be run?
The problem lies within the default php configuration file in the metasploitable server:
AddHandler php5-cgi .php is the problem, the solution can be found here. Or see this code in github which teaches you how to implement checking for file upload with php.