How I Hacked My College (PART 3)

Hello Everyone, this is my last part and the best one to get RCE ( Remote Code Execution). I am happy to change the mindset of my College to look into Security where the Education department doesn’t take cybersecurity seriously unless and until they are hit by Cyber Criminals.

All those who are reading this story, I request every one to take security as a major part in their life, think twice while giving your data to anyone no matter it's your college because sometimes your data is given to third parties to handle and if they don't take major steps to secure your data you will be hacked easily.

Remote Code Execution — Smart but not Enough

What is Remote Code Execution?

Remote Code Execution (RCE) One of the most dangerous types of computer vulnerabilities. It allows an attacker to remotely run malicious code within the target system on the local network or over the Internet. Physical access to the device is not required.

I started hunting for RCE so I thought of uploading PHP shell, I had found an upload picture functionality where we were supposed to upload our profile picture, without wasting any time I created my PHP shell. Now to check the flow of upload functionality I uploaded a normal picture and I got following request,

and my profile was uploaded successfully.

Now to check whether PHP is accepted or not I uploaded my backdoor PHP shell file,

and I received a 403 Forbidden response, it means we cant upload PHP file.

Now I had to bypass filters to upload PHP shell and get RCE.

Types of filters?

Here are some common filters used by the developers

1. Blacklisting Bypass:

Blacklisting can be bypassed by uploading unpopular PHP extensions.
such as: pht, phpt, phtml, php3,php4,php5,php6

2. Whitelisting Bypass:

Whitelisting can be bypassed by uploading a file with some type of tricks, By adding a null byte character like ( shell.php%00.gif ). Or by using double extensions for the upload file like ( shell.jpg.php ).

3. Content-type Validation:

This type of validation can be bypassed by changing the file name for example to “shell.php” or
“shell.aspx” but keeping the “Content-Type” parameter as “image/ *” Content-Type. Such as
“image/png”, “image/jpeg”, and “image/gif”.

4. Content length Validation:

It can be bypassed using a small length of payload like

PHP shell: (<?=`$_GET[x]`?>)

Why Smart but not enough ??

In my case, it was Whitelisting Bypass. I just changed my shell.png to shell.png.php

and BOOM!! my PHP file was uploaded successfully and I was like,

and finally, msfconsole did my work, the connection was established to my backdoor PHP shell and I was super happy when I got connected to the server !!

Thanks for reading !!

**** I was Granted Permission to Penetrate the College so don’t do anything illegal and I have not disclosed any Critical Information***

Information Security Analyst at Persistent Systems | Synack Red Team Member | CEH v10 | CEH Master | Bug Bounty Hunter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store