PageForge

hackadvisor

Task: PHP CMS with unsanitized include() on a view parameter, Apache log readable via open_basedir. Solution: LFI via path traversal to read Apache access log, then User-Agent log poisoning with PHP webshell (single quotes!) to achieve RCE and read flag from environment variable.

rce lfi path_traversal php apache include user_agent_injection cms log_poisoning alpine_linux

path_traversallfi_to_rceuser_agent_injectionapache_log_poisoningenvironment_variable_exfiltration

$ ls tags/ techniques/

rce lfi path_traversal php apache include user_agent_injection cms log_poisoning alpine_linux

path_traversallfi_to_rceuser_agent_injectionapache_log_poisoningenvironment_variable_exfiltration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]BillForge — LFI to RCE via Nginx Log Poisoning— hackadvisor
[web][Pro]Lab 161 — PageForge — Path Traversal via Mixed Slash Filter Bypass— hackadvisor
[web][Pro]PageCraft — LFI to RCE via /proc/self/environ User-Agent Injection— hackadvisor
[web][Pro]KnowledgeForge — File Upload RCE via MIME Type Confusion— hackadvisor
[web][Pro]Lab 254 — PageForge — ZIP Upload File Type Bypass to RCE— hackadvisor