PageCraft — LFI to RCE via /proc/self/environ User-Agent Injection

hackadvisor

Task: PHP CMS with ?pg= parameter vulnerable to LFI via path traversal, no input sanitization on include(). Solution: Exploited LFI to include /proc/self/environ, injected PHP code via User-Agent header to achieve RCE and read /root/flag.txt.

lfi path_traversal php apache nginx cms alpine_linux proc_environ php_cgi decoy_flags

path_traversallfi_to_rceproc_self_environ_injectionuser_agent_code_injectionphp_include_exploitation

$ ls tags/ techniques/

lfi path_traversal php apache nginx cms alpine_linux proc_environ php_cgi decoy_flags

path_traversallfi_to_rceproc_self_environ_injectionuser_agent_code_injectionphp_include_exploitation

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]PageCraft — SSTI via Twig Template Engine in Post Content— hackadvisor
[web][Pro]PageForge— hackadvisor
[web][Pro]Lab 158 — PageCraft — Twig Template Path Traversal via Namespace Bypass— hackadvisor
[web][Pro]BillForge — LFI to RCE via Nginx Log Poisoning— hackadvisor
[web][Pro]Lab 161 — PageForge — Path Traversal via Mixed Slash Filter Bypass— hackadvisor