PHP

Local File Inclusion with insecure filter

by Brumens

drag_indicator

info

drag_indicator

inputs

drag_indicator

inspect

Local File Inclusion with insecure filter

Infect and include the log file data.log to be able to execute PHP code on the target application and perform a remote code execution (RCE).

Goal

Read the flag in the environment variables of the vulnerable application.

Hints

Hint #1

expand_more

To verify that you have bypassed the filter, try reading the /etc/passwd file.

Hint #2

expand_more

If a file is included that contains PHP tags like : <?php ... ?> , it will be executed.

Solution

Read the solution

expand_more

The filter removes all ../ but does not check if the final value still contains ../. An attacker can easily bypass this filter by using something like: ....//. This will first "filter" the value by removing the first ../ pattern. When this is done, a new ../ is also created from ....//, resulting in a successful bypass.

Input:

....//....//logs/data.log

UserAgent

<?php echo system('env') ?>

drag_indicator

waf

INPUT

OUTPUT

drag_indicator

code

drag_indicator

result