Never let go

hackerlab

Task: Achieve RCE on a PHP application with LFI via include() with .php extension appended. Solution: Use php://filter/convert.base64-encode to read source code and leak credentials, then use php_filter_chain_generator to craft an iconv filter chain that injects arbitrary PHP code through the LFI without file upload.

rce lfi source_code_disclosure php_filter php_filter_chain

lfi_to_rcephp_filter_wrapperphp_filter_chain_generatorcredential_leak

$ ls tags/ techniques/

rce lfi source_code_disclosure php_filter php_filter_chain

lfi_to_rcephp_filter_wrapperphp_filter_chain_generatorcredential_leak

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]RCE— web-kids20
[web][Pro]XXE filter— web-kids20
[web][Pro]Доступ запрещён (Access Denied)— hackerlab
[web][Pro]Обходной путь (Obhodnoy Put)— hackerlab
[web][Pro]B64Decoder— hackerlab