search

Source Code

hashtag
LFI

UpDown HTB

  • Direct Access set to false

  • Get the page

  • If the page doesn't have /bin, usr, home, var, etc

  • Then it does an include on the page variable and appends .php (on any file)

  • Else, it includes checker.php

hashtag
RCE via PHP filters

It's possible to get command execution just through $_GET['page']

LogoLFI2RCE via PHP Filters - HackTricksbook.hacktricks.xyzchevron-right

Take the output and append it to /?page=

If system isn't a disabled function this can be used

LogoGitHub - RoqueNight/LFI---RCE-Cheat-Sheet: Transition form local file inclusion attacks to remote code exectionGitHubchevron-right

hashtag
Reading Local Files

We can pull the index.php file encoded in base64 using this wrapper in the GET request

Good example:

LogoFoothold | Hack The Boxhtb.adot8.comchevron-right

hashtag
Authentication Bypass via strcmp in PHP

PreviousPHP ApplicationsNextBrute Forcing and Spraying

Last updated