2

I have a scenario as the following:

<?php  include("resource/" + $_GET['vuln']); ?>

And I'm trying to get RCE from this, or atleast acquire some interesting information.

I already looked at /etc/passwd and other important files. Are there things I can do to bypass the resource/ prefix (since it disables me from using php:// filters)?

Anders
  • 64,406
  • 24
  • 178
  • 215
Guysudai1
  • 133
  • 6
  • 1
    I am 95% sure you can't do anything about the prefix. So I think you can only include files actually found in the `resource` dir. – Anders Feb 07 '20 at 16:24
  • 1
    I assume traversals are blocked? ../../../../../etc/passwd – wireghoul Feb 07 '20 at 16:37
  • Actually, traversals aren't blocked. But I think I've come up with a way to get RCE: We can actually send an error request to the server, then the logfile will contain our error. BUT what if we use inside the error. so that when you include it, the server will parse whatever's in $_GET['vuln'] – Guysudai1 Feb 07 '20 at 18:11
  • 1
    @Guysudai1 that would be the standard way to escalate this. Other potential files with PHP code to include might be `/proc/self/environ` or any file you can upload (type doesn't matter, might be image files, etc). – tim Feb 07 '20 at 18:27
  • yea I took inspiration from that way of exploitation. Because I could not access /proc/self/environ – Guysudai1 Feb 07 '20 at 18:39

0 Answers0