Upload

A vulnerable web application due to unrestricted file upload

• the app is a picture gallery
• uploaded images are not filtered or validated
• so it can be hacked by uploading a web shell or other PHP file...

Try in Play with Docker

Run with docker-compose

Easiest way to run the vulnerable app is using docker-compose:

mkdir upload
cd upload
curl -o docker-compose.yml https://gitlab.cylab.be/cylab/play/upload/-/raw/main/docker-compose.yml
docker-compose up

After a few seconds, the app will be available at http://127.0.0.1:8000

Run with Docker

docker run -p 8000:80 gitlab.cylab.be:8081/cylab/play/upload

Testing locally

You can use PHP built-in webserver to test locally:

git clone https://gitlab.cylab.be/cylab/play/upload.git
cd upload/public
php -S localhost:8000