-3

I have found an endpoint on a website that allow me to upload files. This endpoint didn't have any kind of protection against malicious file upload. So, I uploaded a PHP shell, but the problem is when I visit the uploaded file link, I get download box!

I tried to upload files with .html, .php and .svg but I can't make those files executed on the server. I just get a box asking me to download the file. Just the images extensions are executed like .png and .jpeg.

Is there any way to execute the PHP shell on this server? Because they didn't have any kind of protection on this endpoint, I can upload any malicious file.

Anders
  • 64,406
  • 24
  • 178
  • 215
Tarek Zidan
  • 3
  • 2

1 Answers1

3

Is there any way to execute the PHP shell on this server?

Probably not. For that to happend, the server has to have a PHP engine installed and be configured to respond to request for PHP files by executing them. That doesn't seem to be the case here.

So my guess it that either PHP isn't installed, or it's configured not to run in the upload folder.

Anders
  • 64,406
  • 24
  • 178
  • 215