webProhard
Lab 313 — ThreadForge — PHAR Deserialization Chain via Backup Leak & Chunked Upload
hackadvisor
Task: PHP forum with admin panel, backup download, chunked upload API, and image processor path setting. Solution: Download SQLite backup to leak config, upload PHP webshell via unrestricted upload API, trigger execution via include() in the /uploads/ route handler.
$ ls tags/ techniques/
sqlitephpfile_uploadwebshellinformation_disclosurenginxdeserializationdecoy_flagslim_frameworkbackup_leakpharchunked_uploadphp_includeunrestricted_file_upload
decoy_flag_avoidancedatabase_backup_information_disclosureupload_salt_extraction_from_configunrestricted_file_upload_no_extension_validationphp_file_inclusion_via_include_in_upload_routewebshell_upload_and_executionphar_deserialization_trigger_via_file_existschunked_upload_predictable_temp_path
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]Lab 13 — WebForge — Insecure Deserialization in Config Import— hackadvisor
- [web][Pro]Lab 353 — MailForge — Insecure Deserialization via Custom Session Handler— hackadvisor
- [web][Pro]Lab 307 — CrewHub — File Upload RCE via Polyglot JPG/PHP— hackadvisor
- [web][Pro]Lab 94 — MediaForge — ImageMagick Command Injection via File Upload (ImageTragick)— hackadvisor
- [web][Pro]KnowledgeForge — File Upload RCE via MIME Type Confusion— hackadvisor