Lab 307 — CrewHub — File Upload RCE via Polyglot JPG/PHP

hackadvisor

Task: PHP project management app with avatar upload validated by GD library, but preserving original file extension and not stripping EXIF data. Solution: craft a polyglot JPG/PHP with a webshell in EXIF ImageDescription, upload with .php extension to bypass GD validation, then execute commands to read /root/flag.txt.

rce php file_upload webshell jpeg nginx polyglot exif gd_library content_validation_bypass

php_webshell_uploaddecoy_flag_identificationjpeg_php_polyglot_via_exiffile_extension_bypassgd_library_content_validation_bypass

$ ls tags/ techniques/

rce php file_upload webshell jpeg nginx polyglot exif gd_library content_validation_bypass

php_webshell_uploaddecoy_flag_identificationjpeg_php_polyglot_via_exiffile_extension_bypassgd_library_content_validation_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 163 — PostFlow — Unrestricted File Upload via Avatar Feature— hackadvisor
[web][Pro]Lab 314 — PixVault — ExifTool DjVu RCE via Image Upload— hackadvisor
[web][Pro]Lab 39 — PixelVault — RCE via ImageMagick Filename Command Injection— hackadvisor
[web][Pro]Lab 205 — DockForge — SSRF in Webhook Test Endpoint— hackadvisor
[web][Pro]Чилиец (Chiliets)— hackerlab