Lab 254 — PageForge — ZIP Upload File Type Bypass to RCE

hackadvisor

Task: PHP CMS with theme import feature that extracts ZIP archives to a web-accessible directory without filtering file types inside the archive. Solution: include a PHP webshell (shell.php) inside a valid theme ZIP alongside theme.json, upload via /themes/import, then access the extracted webshell at /uploads/themes/<name>/shell.php for RCE.

rce php file_upload zip webshell nginx cms theme_upload file_type_bypass no_extension_filter csrf_token

decoy_flag_identificationzip_file_type_bypassphp_webshell_in_zipunrestricted_file_extraction

$ ls tags/ techniques/

rce php file_upload zip webshell nginx cms theme_upload file_type_bypass no_extension_filter csrf_token

decoy_flag_identificationzip_file_type_bypassphp_webshell_in_zipunrestricted_file_extraction

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 161 — PageForge — Path Traversal via Mixed Slash Filter Bypass— hackadvisor
[web][Pro]KnowledgeForge — File Upload RCE via MIME Type Confusion— hackadvisor
[web][Pro]PageForge— hackadvisor
[web][Pro]BillForge — LFI to RCE via Nginx Log Poisoning— hackadvisor
[web][Pro]Lab 94 — MediaForge — ImageMagick Command Injection via File Upload (ImageTragick)— hackadvisor