webPromedium
BillForge — LFI to RCE via Nginx Log Poisoning
hackadvisor
Task: PHP invoicing platform (BillForge v2.4.1) with admin settings allowing the public invoice template path to be changed, where the template is loaded via include() without sanitization. Solution: Changed template to nginx access log via path traversal, poisoned the log with a PHP webshell in the User-Agent header, then triggered RCE to read the flag from an environment variable.
$ ls tags/ techniques/
sqlitercelfipath_traversalphpnginxincludeuser_agent_injectiontemplate_injectionlog_poisoningdecoy_flagalpine_linuxinvoice_platformsettings_abuse
environment_variable_exfiltrationpath_traversal_lfilfi_to_rce_via_log_poisoninguser_agent_php_injectionnginx_access_log_inclusionsettings_template_path_abuse
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]PageForge— hackadvisor
- [web][Pro]BillForge— hackadvisor
- [web][Pro]Lab 197 — BillForge — Authorization Bypass via HTTP Parameter Pollution— hackadvisor
- [web][Pro]Lab 25 — DocuForge — RCE via Dompdf Font Cache Exploitation— hackadvisor
- [web][Pro]BillForge — SSRF Chain via Chromium PDF Invoice Generation— hackadvisor