webPromedium
DocuNest
hackadvisor
Task: Collaborative documentation platform with a docs viewer that uses PHP include() with unsanitized file parameter, enabling LFI. Flag is stored as an environment variable and in /root/flag.txt (chmod 600). Solution: Chain LFI with Apache access log poisoning — inject PHP webshell via User-Agent header, then include the poisoned log to achieve RCE and read the FLAG environment variable.
$ ls tags/ techniques/
sqlitercelfipath_traversalphpapacheincludeuser_agent_injectionlog_poisoningdecoy_flagalpine_linuxdocumentation_viewermod_php
environment_variable_exfiltrationpath_traversal_lfilfi_to_rce_via_log_poisoningapache_access_log_inclusionuser_agent_php_injection
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 334 — DocuNest — XPath Injection in Knowledge Base Search— hackadvisor
- [web][Pro]Lab 243 — VendorNest — SSTI in Product Descriptions via Blade Template Engine— hackadvisor
- [web][Pro]Lab 328 — DataNest — NoSQL Operator Injection in Authentication— hackadvisor
- [web][Pro]PageForge— hackadvisor
- [web][Pro]Lab 345 — PrintForge — RCE via Ghostscript Command Injection— hackadvisor