WEBVERSE

Loading...

PhotoStore
easyFree

PhotoStore

PhotoStore is a boutique fine-art photography studio with a client upload portal. Their archival pipeline reads a little more out of your photos than you might expect.

command-injectionrceexifmetadata-injectionfile-uploadpythonflask
pythonflaskpillownginx
Start This Lab

The Scenario

Simon's PhotoStore is a small editorial and portrait studio that lets clients upload their originals through a web "Upload Studio." To help catalogue the archive, the studio bolted on a homegrown "MetaDSL" engine that reads the ImageDescription field baked into each photo's metadata and processes it as part of the intake pipeline.

It works beautifully on a well-behaved holiday snap. The question is what the pipeline does when the metadata isn't a caption at all. Upload something of your own and see how much of the studio's back office you can reach.

Lab Intel

Synopsis

PhotoStore's upload pipeline extracts the EXIF ImageDescription from each uploaded photo and feeds it to a 'MetaDSL' that evaluates system("...") expressions by running them through a shell, yielding command injection / RCE.

Architecture

An easy-difficulty single-service lab built on two containers — an nginx gateway and a Flask photo-upload application. The upload validation itself (extension allow-list, magic-byte sniff, path-traversal guard, decompression-bomb cap) is intentionally solid; the only vulnerability is the metadata DSL that executes ImageDescription content as a shell command.

Who It's For

Players comfortable with web requests and the basics of image file formats who want to practise injection through a non-obvious input channel. Familiarity with editing EXIF metadata (e.g. exiftool) and basic shell commands helps.

Skills You'll Practice

  • Treating file metadata as an injection surface
  • Building a malicious image payload (EXIF ImageDescription)
  • Exploiting a shell-backed 'expression language' for command execution
  • Recon of an upload pipeline to locate the real sink

What You'll Gain

  • Awareness that hardened upload validation does not cover what happens to extracted metadata
  • A repeatable EXIF-metadata command-injection technique
  • Understanding of how a constrained DSL can still expose a full shell

Ready to hack PhotoStore?

This lab is free. Sign up and start hacking.

Start This Lab