Source Code

LFI

UpDown HTB

  • Direct Access set to false

  • Get the page

  • If the page doesn't have /bin, usr, home, var, etc

  • Then it does an include on the page variable and appends .php (on any file)

  • Else, it includes checker.php

RCE via PHP filters

It's possible to get command execution just through $_GET['page']

LogoLFI2RCE via PHP Filters - HackTricksbook.hacktricks.xyz

Take the output and append it to /?page=

If system isn't a disabled function this can be used

LogoGitHub - RoqueNight/LFI---RCE-Cheat-Sheet: Transition form local file inclusion attacks to remote code exectionGitHub

Reading Local Files

We can pull the index.php file encoded in base64 using this wrapper in the GET request

Good example:

LogoFoothold | Hack The Boxhtb.adot8.com

Authentication Bypass via strcmp in PHP

PreviousPHP ApplicationsNextBrute Forcing and Spraying

Last updated